|Visit the official Xandr Documentation Center|
Policies for Selling
Last updated January 19, 2021
This page provides a detailed breakdown of policies that must be respected when selling media via Xandr, including prohibited and restricted content, and detailed information about individual policies.
To print or download these policies, go to ... and click Export to PDF or Export to Word.
Where the International Data Addendum is applicable, this document also sets out obligations applicable to Xandr. For policies that must be respected when buying media via Xandr, see our Policies for Buying. Note that there is some overlap between policies for buying and selling.
- Generally Applicable Content Prohibitions
- Content Allowed but Restricted
- Prohibited Sell-Side Practices
- Third-Party Buyer Policies
- Policy Enforcement
- Export Controls/OFAC Restrictions
"Content" includes ad creatives, landing pages, any inventory, or other content connected to advertising transacted in the Xandr platform.
Generally Applicable Content Prohibitions
|Dangerous hate speech|
Content that depicts, contains, or provides access to dangerous hate speech. Dangerous hate speech includes any gesture, conduct, writing, or display, including but not limited to anything that is intended to incite violence, intimidation, or a discriminatory response against a protected individual or group. The law may identify a protected individual or a protected group by race, gender, nationality, ethnicity, religion, sexual orientation or other characteristics.
Content that depicts, contains, or provides access to pornography, nudity, obscenity, and other “adult” content (Except risqué content as defined by and explicitly permitted by Xandr).
Content that contains, installs, links to, or prompts the download of any malware.
Customers must have reasonable procedures to prevent malware. For the complete policy and more information, see Malware Policy below.
Content that Xandr reasonably believes:
Content featuring the sale of or instructions to create bombs, guns, ammunition, or other weapons.
Content that depicts, contains, or provides access to violent content.
Content that depicts, contains, or provides access to defamatory content.
Content featuring the sale of drugs, pharmaceuticals, or drug paraphernalia that is illegal.
Content that depicts, contains, or provides access to any files that execute or download without intentional user interaction.
Content that automatically redirects to other sites or apps.
|Government forms or services|
Content that depicts, contains, or provides access to offers that charge for government forms or services that are available for a lesser charge or free from the government.
Content Xandr reasonably believes is likely to be in violation of any applicable law, regulation, or court order.
Content that Xandr reasonably deems to be (a) morally reprehensible or patently offensive, and (b) without redeeming social value.
|Flash Cookies and other LSOs||Do not use LSOs including flash cookies, browser helper objects, and HTML5 localStorage. Ad creatives hosted by or trafficked through the Xandr platform may not set Flash cookies or other local shared objects (LSOs) for purposes of online behavioral advertising, ad delivery and reporting, or multi-site advertising. Prohibited uses include, but are not limited to, storing user IDs, interest segments, user browsing history, or other unique user data.|
Fake Errors and Warnings
Content that displays fake errors or warnings to induce user action, including, for example, warnings about viruses, missing codecs, and corrupt disks.
|Inadequate privacy notice or consent|
Content that does not provide data protection and privacy notice, does not obtain necessary valid user consent, and does not provide end-users with information and choices, each in accordance with applicable law, for data collection or for material functionality of a site or software through which ads are delivered, or through which data are collected for subsequent use in advertising.
|Interferes with navigation|
Content that causes interference with user navigation (e.g. preventing a user from leaving a page, by popping dialogs, pop-ups, new windows, etc.).
|Interferes with other ads|
Content that obscures, replaces, modifies, or otherwise interferes with another party’s ads or ad inventory.
Content with an unusually high click through rate, or content that automatically generates clicks on ad units.
Content Allowed but Restricted
Xandr allows gambling content, but with geographic and other restrictions. In general, Sellers are responsible for ensuring compliance with all applicable regulations. See the full Gambling Policy below.
Xandr will not allow pornographic or obscene content (inventory, ads, and landing pages) to be bought or sold over the Xandr platform under any circumstances. However, with explicit permission, "white labeled" (CNAMED) customers may transact in sexually-oriented, non-pornographic, non-obscene content within their own direct relationships on their own managed inventory. Notwithstanding this policy, Xandr may remove or deactivate any content in its reasonable discretion.
Toolbars, Plugins, Applications, and Resold Inventory
For any inventory generated from a user-installed toolbar, plug-in, app, or other mechanism, if the mechanism inserts or otherwise adds advertising units to an inventory source, and such source is owned or operated by a third party that is unaffiliated with the seller of the inventory, and such advertising units are added without explicit authorization from the third party, the inventory may be sold on Xandr only under certain conditions, as described in Toolbars, Plugins, Similar Inventory Sources, and Resold Inventory Policy below.
For ads that promote, and directly or indirectly link to sites that contain software, the software must:
Prohibited Sell-Side Practices
|Misrepresented inventory||Content that does not accurately represent the source or type of inventory, except as configurable within the Xandr platform and permitted by Xandr.|
|Excessive ad units||Sources of inventory, e.g. websites, may not contain an excessive number or density of units.|
|No ad units|
Sources of inventory, e.g. websites, that have no visible ads.
Websites that do not appear to function.
|Sole purpose of garnering ad impressions|
Content that clearly appears to be intended for the sole purpose of garnering ad impressions, without providing any material content or service to users.
Content that simulates or artificially initiates clicks, impressions or conversions, including by automatically refreshing tags or pages or via the use of nonhuman traffic.
Members may not sell inventory on the platform that they do not own or operate without the permission of the owner of the inventory’s underlying domain or app.
or the complete policy and more information, see Toolbars, Plugins, Similar Inventory Sources, and Resold Inventory Policy below.
|Illegal or harmful||Content or practices not otherwise addressed in these policies that may violate any law, rule, or regulation, or may otherwise be harmful to Xandr or a third party.|
All clients are responsible for complying with applicable data protection and privacy laws and adhering to self-regulatory codes in their use of the Xandr platform. In some cases the Xandr platform provides features that clients may find useful in furtherance of their own compliance. For useful information about privacy and the Xandr platform, see our information page, Privacy and the Xandr Platform.
Clients are responsible for ensuring that users are notified about the data collection and use practices taking place on the sites or apps from where they make inventory or data available through the Xandr platform, including by taking steps to ensure that such practices are disclosed to end users in sellers' and sellers' clients' or partners' websites, and in the applicable websites and mobile apps where data is collected or used for advertising. Exactly how and where such disclosures are provided will depend on the particular context.
Notice to users should include:
Notice to users in the European Economic Area, the UK and Switzerland (“EEA”) should also include:
Xandr recommends that clients that allow collection or use of data for behavioral advertising use the Ad Choices icon. Xandr does not provide a license for use of the icon, which must be licensed directly via the DAA or local equivalent.
|Choice and Consent|
Where relying on consent as a legal basis, clients must obtain valid consent (freely given, informed, specific and unambiguous and that names Xandr) for data collection and use, including cookie or other tracker usage, as applicable, that results from their participation on the Xandr platform, or otherwise from their use of Xandr Services. Clients must also enable users to withdraw their consent at any time and then stop the relevant processing.
Where relying on legitimate interest as a legal basis, clients must enable users to object to the processing of their personal data. This option is only available for clients in those countries where local law permits use of legitimate interest as the legal basis for processing. For users located in the EEA and the UK, Xandr is registered with and supports the IAB Europe Transparency and Consent Framework (the “Industry Framework”). The Industry Framework is designed to allow Clients the means to choose which third parties (“vendors”) are able to access the devices or process the information of their users, for purposes and pursuant to the legal basis the third party provides in advance through the Industry Framework’s vendor list, and provide dynamic transparency and choice to their users about each of these third parties in connection with each user’s visit to the Client’s sites. If you use the Industry Framework, we will be able to automatically incorporate your choices into our Platform for each impression a Client sends to us.
For users located in the EEA and the UK, to the extent a Client is not using the Industry Framework, ad impressions must be sent to Xandr in compliance with applicable law. Where relying on consent, a valid consent mechanism should be put in place allowing users to have control over all the cookies or other trackers the Client’s website or app sets, not just Client’s cookies or other trackers (and including Xandr’s cookies or other trackers). Where relying on consent, Clients must be able to provide evidence of consent at Xandr’s request; this must show both the user consent and the user interface and associated notices which the user would have seen before providing consent. Clients must also agree to Xandr’s audit of their mechanisms for obtaining and proving consent, provided that Xandr gives reasonable notice of an audit request and that information provided during an audit is protected as confidential information. We provide platform controls that give Clients the ability to determine which third parties we share their users’ information with. To the extent required under applicable law in a given Member State, Clients should use these platform controls to ensure Xandr only shares their users’ information with third parties that have been disclosed to the users and, where required and applicable, only when the Client has obtained the appropriate consent from the users. Clients may also be required to comply with the policies of demand sources they enable through the platform. The collection of consent to cookies or other trackers must comply with the competent European data protection authority’s guideline and must name Xandr.
For children located in the EEA, the United Kingdom, Switzerland and Brazil, Clients must obtain consent from the holder of parental responsibility over any child under the age required for parental consent, as determined by the laws of the country in which the child resides. In some cases the consent of both the holder of parental responsibility and the child may be required.
|Personally Identifiable Information (PII), Directly identifiable Information||Clients must not bring onto the platform or associate with any Xandr resource, e.g. ID, pixel, or domain, any data that, by itself, directly identifies an individual, such as name, address, phone number, email address, or government identifier.|
Xandr does not allow sensitive information about end users to be used on the Platform. Sensitive information is information deemed as sensitive under applicable law such as information about users’ racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, or health or sex life or sexual orientation or under industry self-regulatory code, including, but not limited to information about users' national identification number or finances, and information about children. For clarity, sensitive information includes “special categories of personal data” as defined under applicable laws.
Clients must use reasonable measures to identify child-directed inventory, and not misclassify child-directed inventory, and must not send personal data to Xandr where Client is, or should be, aware that the user is a child, unless and solely to the extent such personal data is flagged as child data using such mechanisms and flags that Xandr may provide in its sole discretion and in accordance with Xandr's guidelines for use of such flag. For this purpose, a child is a person under the age of (i) 16, for children located in the US; (ii) 18, for children located in Brazil;(iii) the age required for parental consent, as determined by the laws of the country in which the child resides, for children located in the EEA or the UK; and (iv) the age defined by the laws and regulations of the given jurisdiction, for children located outside of the US, the EEA, the UK, and Brazil,, as further described in the Child-Directed Inventory Policy below.
International Data Addendum
Client and Xandr must abide by the terms of the International Data Addendum where the Client is selling inventory relating to end users in the EEA Switzerland, the United Kingdom, or Brazil.
You can find the International Data Addendum at Annex 1.
Third-Party Buyer Policies
In addition to Xandr's privacy policies herein, if you wish to enable the third-party buyers set forth below to buy your advertising inventory through our platform, you are responsible for understanding and adhering to their policies, which are linked below. These links to third-party policy documents are offered below as a convenience; however, these links are not guaranteed by Xandr to be up to date or all inclusive. Other policies may apply.
Google (DV360): https://www.google.com/about/company/consentstaging.html
Export Controls/OFAC Restrictions
All clients are responsible for compliance with any applicable export controls and economic sanctions programs, including those administered by the U.S. Department of Commerce’s Bureau of Industry and Security, the U.S. State Department’s Directorate of Defense Trade Controls, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”), and the U.S. State Department’s Office of Economic Sanctions Policy and Implementation, as follows:
|Export Controls Compliance|
The client shall comply with all applicable export controls laws and regulations of the U.S. Government, including not exporting (from the United States), reexporting (from a third country), or transferring (between two parties in the same third country) goods, software, technology, or technical data subject to U.S. jurisdiction unless authorized by relevant laws and regulations or an export license.
The Xandr platform isn’t permitted for use by clients who are located, organized, or resident in countries or territories that are subject to comprehensive sanctions including the Crimea region of Ukraine, Cuba, Iran, North Korea and Syria (such countries or territories, the “Embargoed Regions”) or are otherwise subject to sanctions.
|Restrictions on Dealing with Sanctioned Individuals, Entities, and Countries|
If a client is based in a location that has become subject to sanctions or OFAC sanctions, or the client is directly or indirectly owned or controlled by any person that is subject to sanctions, such client’s account may be immediately suspended or terminated. We will notify you by e-mail if we suspend your account, but no grace periods or exceptions are possible.
|Account Access within Embargoed Regions|
Even if a client is not ordinarily based in an Embargoed Region users may not be able to sign in to their accounts when physically present in an Embargoed Region.
|Geo Targeting||The Xandr platform cannot be used to run ad campaigns that specifically and primarily target the Embargoed Regions.|
Expanded Versions of Select Xandr Policies
- Toolbars, Plugins, Similar Inventory Sources, and Resold Inventory Policy
- Gambling Policy
- Malware Policy
- COPPA Policy
- Inventory Policy Enforcement
Toolbars, Plugins, Similar Inventory Sources, and Resold Inventory Policy
To be eligible to provide inventory to the Xandr platform, the toolbar, plugin, app, or other mechanism must:
- provide the user with clear and conspicuous notice about all material functionality,
obtain freely given, specific, informed and unambiguous indication of the consent from the user, which names Xandr, prior to download or installation,
provide an easy means for user to withdraw their consent and thus an easy-to-use uninstall to the user; and
- allow the user to maintain control over his or her computing environment.
For any inventory generated from a user-installed toolbar, plug-in, app, or other mechanism, if the mechanism inserts or otherwise adds advertising units to a page or site, and such site is owned or operated by a third party that is unaffiliated with the seller of the inventory, and such advertising units are added without explicit authorization from the third party, the inventory may be sold on Xandr only under the following conditions:
- The added advertising units must not replace, obscure, modify, or in any way interfere with any advertising units present on the underlying page.
- The seller must report the underlying domain to Xandr, i.e. the underlying page and not the toolbar domain.
- The seller must affirmatively identify the inventory using a self-audit inventory attribute and segregate it from non-toolbar inventory. Sellers may use the Xandr UI or the API to classify their inventory.
Xandr scans inventory for placements flagged as “Toolbar, plugins, or extensions” on an ongoing basis.
Members may not sell inventory on the platform that they do not own or operate without the permission of the owner of the inventory’s underlying domain or app.
Xandr allows sellers of gambling content to make inventory available, subject to certain restrictions.
Gambling is susceptible to many definitions throughout the world, and generally refers to risking something of value upon an uncertain outcome in the hopes of receiving something of value beyond the amount placed at risk. It usually, but not always, involves at least some element of chance.
Gambling may include activities commonly referred to a gaming, wagering, betting, and bookmaking. It also may include activities involving casinos, games of chance, lotteries, raffles, sweepstakes, penny auctions and fantasy sports contests.
Xandr does not apply a singular definition to gambling. Rather, as explained below, gambling may include any number of activities promoted by publishers or in ads. Xandr reserves the right, in its sole and absolute discretion, to amend or expand the activities that it deems to be gambling.
For purposes of this policy, “gambling content” means the following:
- Any type of content, whether promoted by publisher or advertiser, that promotes, either directly or indirectly, online (internet or mobile) and offline (land-based or “bricks and mortar” casinos, betting shops, card rooms or other gambling establishments) gambling, gaming, betting or wagering of any kind, whether for cash prizes or other things of value, including but not limited to casino games, poker, sports betting (whether individual or parlay wagering), pari-mutuel wagering or “betting pools” (including horse racing, dog racing, and jai alai), lotteries, raffles, sweepstakes, penny auctions and fantasy sports contests.
- Any type of content that otherwise relates in any way to the foregoing activities, including content containing promotional products, services or materials, including education, “learn to play,” “practice” and other free simulation sites affiliated with online or offline gambling or wagering sites or facilities.
Notwithstanding any other provision in this policy, Xandr prohibits sellers of gambling content from making inventory of any kind available in the following countries through the Xandr platform:
- Hong Kong
- United Arab Emirates
Restrictions on Sell-Side Gambling Content
Subject to the preceding prohibitions, Xandr generally permits sellers to make ad inventory containing gambling content (“Gambling Ad Inventory”) available, where such content is not prohibited, so long as the seller complies with the following requirements:
- The seller complies with all applicable laws, rules and regulations in any jurisdiction where the publisher is located and where the ads serve.
- The seller and the publisher currently hold all required licenses, permits, registrations, waivers, consents or other governmental approvals (collectively, “licenses”) to operate in the jurisdictions in which the publisher is located and in which the ads serve.
- The seller is in compliance and agrees to remain in compliance with all applicable laws and the terms of all applicable licenses.
- The seller agrees not to make its inventory available in any jurisdiction specifically prohibited by this policy, as such may be updated from time to time.
- The seller is approved by Xandr to sell gambling inventory.
- The seller acknowledges that approval does not guarantee that gambling inventory can be sold. Xandr reserves the right to conduct appropriate due diligence and, in its sole and absolute discretion, may prohibit any content from being sold for any reason whatever.
For information about how to prevent gambling ads from serving on seller inventory, see "Opt Out of Gambling Ads" in our UI documentation.
Malware is malicious software designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.
Xandr makes proactive efforts to prevent malware from being served in the Xandr ecosystem. Xandr retains discretion to take any reasonable action to address malware issues.
Policies and Procedures Required
Customers of the Xandr platform must make every reasonable effort to prevent malvertising. Xandr has no tolerance for lax policies and procedures for preventing malvertising.
Although customers are responsible to ensure their own policies and procedures are sufficient, Xandr may at any reasonable time -- including as a pre-requisite to any campaign -- review a customer’s policies and procedures, and make recommendations to strengthen them. If Xandr’ recommendations are not reasonably evaluated and implemented, or if at any time Xandr finds a customer’s policies or procedures are lacking, an account may be paused until the customer makes improvements.
When malvertising is detected
Immediate deactivation for investigation: Any creative, landing page, domain, or other resource we identify as a malware threat or a source of malware will be deactivated immediately and investigated jointly with the customer. Xandr may also deactivate or block any additional resources, including a campaign, or a customer’s entire account, for purposes of preventing malvertising or investigating the incident.
Child-Directed Inventory Policy
Laws in various jurisdictions regulate the collection and use of data from or about children.
In the US, the Children’s Online Privacy Protection Act of 1998 (COPPA) regulates the online collection and use of personal information from or about children. Under US Federal Trade Commission (FTC) rules implementing COPPA, it is prohibited (i) to create or update a user profile based on an activity (such as a click or a visit) on a child-directed site or app and/or (ii) to deliver an ad based on prior online activity to a user on a child-directed site or app.
In the EEA, the General Data Protection Regulation (“GDPR”) regulates the processing of personal information from or about children. Under the GDPR, where the client processes personal information of a child to provide information society services and where the lawful basis for this is consent, then, where the child is younger than 16 (or the age required for parental consent as determined by the laws of the Member State in which the child resides) consent must be given or authorized by the holder of parental responsibility of the child. In specific Member States the consent of both the holder of parental responsibility and the child may be required. Similar rules apply in the United Kingdom and other countries.
For COPPA or other applicable laws, rules, and regulations, including GDPR, Xandr requires the correct classification of child-directed inventory:
Identifying Child Sites
- Xandr Audit:
- Xandr, in the course of its standard inventory auditing process (i.e., for sites submitted for Xandr audit), may identify and categorize sites and apps intended for children.
- Sellers must use reasonable procedures to identify child-directed sites and apps using the existing categorization functionality on the Xandr platform.
- You may not misclassify inventory you make available to the Xandr platform.
Additionally, sellers must not send personal data to Xandr where Client is, or should be, aware that the user is a child, unless and solely to the extent such personal data is flagged as child data using such mechanisms and flags that Xandr may provide in its sole discretion and in accordance with Xandr's guidelines for use of such flag. For this purpose, a child is a person under the age of (i) 16, for children located in the United States; (ii) 18, for children located in Brazil; (iii) the age required for parental consent as determined by the laws of the country in which the child reside, for children located in the EEA and the United Kingdom; and (iv) the age defined by laws or regulation of the given jurisdiction, for children located outside of the United States, Brazil, the EEA and the United Kingdom.
Clients must provide notice in clear and plain language that child can easily understand; information provided should be tailored to the age of the child.
Xandr is committed to maintaining a high standard of quality across our platform.
|Xandr may take any reasonable action to enforce policies||Xandr may, in its discretion, take any reasonable action to protect the health and safety of our platform, our customers/clients, and end users. This includes that Xandr may disable, block, or otherwise ban, any content, and in some cases suspend or terminate member accounts, to address content or practices it reasonably believes do not conform with its Service Policies.|
|Customers/Clients must have policies and procedures||Customers/Clients of the Xandr platform must have policies and procedures in place to ensure compliance. While individual efforts may vary depending on the circumstances, all members are responsible for actively monitoring and policing any inventory that they make available for sale, and must promptly respond to any violations. Xandr may review a member’s policies and procedures, and request improvements, including as a requirement to sell through the platform.|
|Withholding payment for violations||Xandr generally reserves the right to withhold payment to sellers for any inventory sold on our platform that violates our Service Policies.|
While, as stated above, Xandr reserves the right to take any reasonable action to enforce the Service Policies, Xandr may consider the following:
- Whether the member has reasonable policies and procedures in place.
- Whether the member’s existing policies and procedures were followed.
- Whether and how the member has implemented prior recommendations from Xandr.
- The degree to which the incident was preventable or purposeful.
- The severity of the incident.
If you believe your content has been blocked or incorrectly categorized in our system, please contact customer support to open a ticket.
Supplemental Policy Information
- Fake Errors and Warnings, and Software Downloads FAQs
- Anti-Piracy FAQs
- COPPA FAQs
- Annex 1 International Data Addendum
This section is intended as a source of supplemental information to aid clients in the understanding of concepts and questions relating to Xandr policies. Please note that the content below does not contain official Xandr policy or legal advice. Official Xandr policies are detailed in the sections above.
Fake Errors and Warnings, and Software Downloads FAQs
Does this apply only to audited creatives?
No. This applies to all content introduced to the Xandr platform.
We can still do whatever we want on our own managed inventory, right?
No. Xandr’ prohibited content policies apply to all content introduced to the platform.
What else besides the examples – viruses, missing codecs, and corrupt disks – is covered by this policy?
The policies apply generally to the use of fake errors or warnings to induce user action. If you have an example and are unsure if it is affected by this policy, please contact customer support .
What happens if we violate the policy?
Xandr will proactively search for and deactivate all content on the Platform that violates this policy. We will continue to work closely with our clients to help them comply and to ensure a safe online ecosystem for advertisers, publishers, and Internet users. However, Xandr may suspend or deactivate any creatives, campaigns, or accounts, as reasonably necessary, for investigation or to prevent further serving of ads that violate the policy. In addition, repeated, egregious or uncured violations of the policy may result in termination.
Xandr prohibits content that infringes on intellectual property rights.
What criteria does Xandr use to determine which sites are allowed?
Although we will not disclose our specific criteria for identifying piracy sites, we can provide some additional guidance. Most importantly and pursuant to our policy, we look for sites with content that is “clearly and predominantly” infringing, or sites that “induce infringement”. “Clearly and predominantly” means, quite simply, that it seems clear to us that most of the content made available on the site is infringing copyrighted material. “Induces infringement” means the site clearly encourages infringement of copyrighted material, for example by providing incentives to upload infringing content or by emphasizing that infringing content is available. If you believe we have blocked your site in error, please contact customer support .
What happens if we violate the policy?
Xandr may suspend or deactivate any sites or accounts, as reasonably necessary, for investigation or to prevent violation of the policy. In addition, repeated, egregious or uncured violations of the policy may result in suspension or termination.
What is COPPA?
The Children’s Online Privacy Protection Act of 1998 (COPPA) regulates privacy around the online collection and use of personal information of children. The US Federal Trade Commission (FTC) implements and enforces rules pursuant to COPPA, and provides a set of FAQs to further explain how the rules apply.
What about non-US sites?
The FTC has indicated that COPPA does apply to foreign-based sites that are directed to children in the US or that knowingly collect personal information from children in the US. However, other jurisdictions may have their own similar rules.
How do we know if a site is a Child Site?
The FTC has provided guidance on identifying Child Sites in the new rule, in the additional guidance in the COPPA FAQs, and in the FTC's history of the its COPPA enforcement actions.
What do I do if I become aware of inventory on the platform that might be a Child Site?
Contact us via customer support .
What do I do if I become aware of inventory that appears not to be child-directed but that is classified as a Child Site?
Contact us via customer support.
Annex 1 International Data Addendum
Including its Exhibits, as amended or supplemented from time to time
Capitalized terms used in this International Data Addendum but not otherwise defined, shall have the meanings given to such terms in each Service Agreement in force between Xandr and you, as applicable.
In connection with the Services provided to you (for the purpose of this addendum the "Company"), Xandr and other Data Controllers and Data Processors enabled by the Company through the Services may process certain Personal Data of which the Company or its Affiliates may be a Data Controller pursuant to Data Protection Laws (as defined below).
The Parties want to ensure that they both comply with Data Protection Laws, respect the fundamental data protection rights of the Data Subjects whose Personal Data will be processed, and ensure adequate safeguards are in place to protect such Personal Data when sharing such Personal Data pursuant to each Service Agreement (as applicable).
You and Xandr agree as follows:
- “Advertising Transaction” means, the actual or attempted purchase or sale of Ad Inventory, the serving of Ad Units to Ad Inventory, or the processing of data related to Ad Inventory or Ad Units for analysis, using the Services.
- “Xandr” (formerly known as AppNexus) means the Xandr entity set forth in each of your Service Agreements or to which a Service Agreement was assigned by Xandr in accordance with the terms of the Service Agreement. The Xandr entities include each of the entities set forth on the Xandr Group Companies list (currently located at: https://wiki.xandr.com/x/sYR8BQ), which may be updated by us from time to time. When we refer to “we” or “us” throughout the agreement, it means Xandr. For such Service Agreement with Clients based in Spain, Xandr shall mean Xandr Inc.
- “Bidding/Targeting Terms” shall have the meaning set forth in each Service Agreement or if not set forth in a Service Agreement means, with respect to that Service Agreement, any information and/or data provided to the Services by or on behalf of you or your Clients or Providers to conduct Advertising Transactions.
- "Client” means (i) with respect to you, each third-party client (e.g., an advertiser or publisher) on whose behalf you use a Service or whom you allow access to the Service, and (ii) with respect to us, each third-party client (e.g. an advertiser or publisher) we contract with for the use of our Services.
- “Data Protection Laws” means any Law relating to the processing, privacy, and use of Personal Data, as applicable to Xandr, Company, its Clients, its Providers, and the Services, including, without limitation: (1) the General Data Protection Regulation (EU) 2016/679 (“GDPR”), and/or any corresponding or equivalent national Laws; (2) all relevant member state Laws giving effect to or corresponding with any of them; (3) the GDPR as amended by any legislation arising out of the withdrawal of the UK from the European Union; (4) the Brazilian General Data Protection Law (Law No.13, 709/2018); (5) the Swiss Federal Act on Data Protection; (6) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority; (7) any other applicable laws, rules, and regulations, including, without limitation, industry self-regulations; and (8) ePrivacy Laws.
- “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “processing” will have the meanings given to those terms under Data Protection Laws.
- “EEA” means the European Economic Area.
- “ePrivacy Laws” means (1) the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426 (UK), and any laws or regulations implementing Directive 2002/58/EC (“ePrivacy Directive”) and/or any corresponding or equivalent national Laws; (2) the ePrivacy Directive, or the Regulation concerning the respect for private life and the protection of Personal Data in electronic communications (Regulation on Privacy and Electronic Communications) 2017/0003 (COD), once applicable, and all relevant member state Laws or UK law giving effect to or corresponding with any of them; and (3) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
- “Law” means any law, rule, or regulation.
- “Mapping Tables” means a table of your unique user identifiers mapped to Xandr’ unique user identifiers.
- “Personal Data Breach” means any breach of security leading to the accidental or unlawful access to a Party’s Personal Data that is likely to result in a risk to the rights and freedoms of natural persons, as determined by that Party who suffered the breach.
- “Processor Data” means, as applicable, Segment Data, Query String Data, your Mapping Tables, and data provided to Xandr by or on behalf of the Company to provide our Yieldex Services (as defined in your Service Agreement for use of the Yieldex Services).
- “Provider” means any partner, supplier, or Subcontractor (e.g. a data provider) whom the Company allows to (i) access a Service or (ii) provide data to or through a Service, or whom the Company allows access to data in connection with a Service.
- “Query String Data” means data included in the “query string” portion of URL provided to us by you (e.g. data forming part of a uniform resource locator (URL) provided to us by you that does not fit conveniently into a hierarchical path structure and commonly includes fields added to a base URL by an Internet browser or other Client application).
- “Segment Data” means groupings of Personal Data, including without limitation groupings of demographic, behavioral, contextual, and or other data identified by a set of cookies or other identifying mechanisms, provided by or used by you for targeting Ad Units to Data Subjects.
- “Service Agreement” means each Xandr Exchange Agreement, App Marketplace Agreement, Data Access Agreement, Data Provider Services Agreement, External Bidder Agreement, Master Hosting Agreement, Master Services Agreement, Master Terms, or any such applicable service agreement for the use of any Xandr Service, including without limitation Advertising Technology, Xandr Supply Integration, Bidder, Console, External Supply Partner, Cloud Hosting, Open AdStream, Yieldex, Data Access, Data Services, or any other Services offered by Xandr that are in effect.
- “Sites” shall have the meaning given to it in each Service Agreement or if not set forth in a Service Agreement means, with respect to that Service Agreement, digital properties (e.g., websites or applications) for which a Service is utilized or through which Personal Data used in connection with the Services is collected.
- “Sub-Processor” means a processor of Personal Data engaged by a Party who is acting as a Data Processor hereunder.
- “Supervisory Authority” means any local, national, or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
- Compliance and Contact.
- Compliance. Unless otherwise agreed (i) Xandr will be considered a Data Processor of Processor Data; and (ii) both Xandr and Company will be considered Data Controllers of all other Personal Data processed in relation to the Services. Any Subcontractor engaged by Xandr pursuant to its data processing obligations will be a Sub-Processor. The Company undertakes to comply with all applicable Data Protection Laws in respect of its performance and/or exercise of rights under each Service Agreement (including this International Data Addendum).
- Contact. Company shall notify Xandr of an individual within its organisation authorised to respond from time to time to enquiries regarding Personal Data and shall deal with such enquiries promptly. The individual within Xandr authorised to respond from time to time to enquiries regarding Personal Data and who shall deal with such enquiries promptly is currently set forth in our user interface and/or wiki (currently located at: https://wiki.xandr.com/x/yhFxBQ), which may be updated by us from time to time.
- Lawful Basis for Processing, Access to Devices, Notification.
- Data Controller. Each Data Controller is responsible for identifying, documenting, and at all times processing Personal Data in accordance with an appropriate lawful basis for the processing of each Data Subject’s Personal Data.
- Other Data Controllers. In each case where you use any Personal Data sourced from a Client or Provider in connection with the Services, you will require that such Clients and Providers provide and/or obtain, and ensure that the Clients' and Providers’ own sources of Personal Data provide and/or obtain, the notification and/or consent in accordance with the requirements of this Section 3.
- Data Subject Rights.
- Data Subject Requests. The Parties will cooperate with each other in the fulfilment of their respective obligations related to Data Subject requests for access, rectification, erasure, restriction, or other requests under Data Protection Laws. With respect to Personal Data of which we are both Data Controllers, if you receive a Data Subject request that you do not have the ability to handle, Xandr will comply with any commercially reasonable request by you to facilitate necessary actions to the extent we are legally permitted to do so. If, after making reasonable efforts to cooperate with you, Xandr receives a Data Subject request that we reasonably believe to be well-founded under Data Protection Laws, we may, in an effort to comply with applicable Data Protection Laws, respond to the request, confirming whether our role in respect of the Personal Data that is the subject of the request is as Data Controller, Data Processor or Sub-Processor (and where Xandr is the Data Processor or Sub-Processor, you hereby instruct us to do so). For Segment Data, you agree that when we receive a request for access, rectification, erasure or restriction, we may provide details to a Data Subject regarding the segments in which you have placed them and delete, or put beyond effective use, their Personal Data from segments, as applicable (and you hereby instruct us to do so).
- Complaints. If Xandr or the Company receives any claim or complaint in connection with the Processing of Personal Data to which this International Data Addendum applies, then such Party shall promptly notify the other Party of this.
- Technical and Organizational Measures. Taking into account the nature of and risks associated with the type of Personal Data collected or used in connection with the Services, Xandr and the Company shall have in place appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data by or on behalf of the Parties, and all other such measures as may be agreed between the Parties. The measures Xandr takes are currently set forth in our user interface and/or wiki (currently located at: https://wiki.xandr.com/x/kBFxBQ), which may be updated by us from time to time.
- Mutual Cooperation and Audits.
- Reasonable Assistance. For Personal Data where Xandr and the Company both act as Data Controllers, the Parties will provide reasonable assistance and reasonably cooperate with each other to assist with compliance with Data Protection Laws. Subject to obligations of confidentiality and policies on the disclosure of information, where a Party has a concern that the other Party has not complied with this International Data Addendum, the Parties agree to exchange information to ascertain the cause of such non-compliance and take reasonable steps to remediate.
- Changes in Law. In the event that there is a change in applicable Data Protection Laws that would, in the reasonable opinion of Xandr, require changes to the Services, the means by which the Services are provided by Xandr and/or this International Data Addendum, Xandr reserves the right to make such changes; provided that, to the extent possible, Xandr will provide at least thirty (30) days prior written notice (including by email) of such changes and agrees to discuss such changes in good faith. If the required changes will cause a material harm to either Party or materially alter either Party’s provision or use of the Services, such Party may terminate the Order for the affected Services upon written notice without liability for such termination.
- Right to Monitor. Each Party shall make available to the other Party all information necessary to demonstrate compliance with this International Data Addendum and each Party may (or if mandated by a Supervisory Authority, will) allow for a mutually agreeable independent, internationally-recognized certified public accounting firm (it being understood and agreed that any of the “Big Four” public accounting firms are mutually agreeable), which does not at such time provide any audit services to either of the Parties, to audit, at a mutually agreed upon time during normal business hours of the Party or affiliated party who is subject to the audit, and in a manner that does not unnecessarily or unreasonably interfere with the operation of business, those systems and records that are reasonably necessary for the purposes of determining compliance with applicable Data Protection Laws (an “Audit”). Upon the other Party’s request, the auditor must execute a confidentiality agreement reasonably acceptable to the Party undergoing the Audit, provided that this requirement will not be used to obstruct the right to conduct an Audit. The result of the Audit and all information reviewed during such Audit will be deemed the Confidential Information of the Party undergoing the Audit (save for disclosure to a Supervisory Authority or otherwise required by Law). Additionally, the Party conducting the Audit shall give at least four (4) weeks’ notice of any Audit, reasonably ensure the Audit is undertaken with minimal disruption to the other Party’s or its Clients, Subcontractors and/or Sub-Processors’ business (as appropriate) and shall pay the other Party’s reasonable costs for assisting with the provision of information and allowing for and contributing to Audits unless a material breach of the International Data Addendum is determined to have occurred.
- Personal Data Breach. With respect to any Personal Data Breach, the Party who suffers, or the Party whose Processors and/or Sub-Processors suffer, such breach (“Data Breaching Party”), without undue delay (but in no event later than 48 hours after becoming aware of the Personal Data Breach) agrees to (i) notify the other Party (“Non-Data Breaching Party”) of the Personal Data Breach and (ii) provide the Non-Data Breaching Party with such details as the Non-Data Breaching Party reasonably requires regarding the nature of the Personal Data Breach, any related investigations, the likely consequences, and any measures taken by the Data Breaching Party to address the Personal Data Breach, and thereafter provide regular updates on these matters. Where the Non-Data Breaching Party is a Data Controller, the Data Breaching Party will co-operate reasonably with the Non-Data Breaching Party including with any proposed notification to a Supervisory Authority and/or communication to a Data Subject where required by Data Protection Laws.
- International Transfers
- International Transfers. The use of or provision of the Services may require the transfer of Personal Data of Data Subjects located in the EEA, the United Kingdom, Switzerland or Brazil to which the exporting country does not consider offer adequate protection for Personal Data. Each Party will ensure an appropriate mechanism that is recognized by applicable Data Protection Laws is implemented to allow for the data transfer, and shall ensure both it and its Data Controllers, Data Processors, and Sub-Processors will comply with the related requirements of the appropriate mechanism for data transfer.
- Standard Contractual Clauses.
- Where you act as a Data Controller and Xandr acts as a Data Processor, you and Xandr will comply with the obligations of data exporter and data importer (respectively) set out in the Standard Contractual Clauses for the transfer of Personal Data to data processors established in third countries adopted by the European Commission decision of 5 February 2010, published under document number C(2010) which are hereby incorporated into this Addendum by reference (the C2P Clauses). The details of the appendices applicable to the C2P Clauses are as set out in Exhibit A.
- Where Xandr and the Company each act as data controller, Xandr and the Company will comply with the obligations of data importer and data exporter (respectively) set out in the Standard Contractual Clauses for the transfer of Personal Data to data controllers established in third countries adopted by the European Commission decision of 27 December 2004, published under document number C(2004) which are hereby incorporated into this International Data Addendum (the C2C Clauses). The details of the appendices applicable to the C2C Clauses are as set out in Exhibit B.
- In relation to the Standard Contractual Clauses (both C2P and C2C), if Company is not established in the EEA, for the purposes of Section 4 of the C2C Model Clauses, and Clauses 9 and 11.3 of the C2P Model Clauses, the governing law shall be that of England.
- For the purpose of this clause 8(2), where a data exporter is established in Switzerland, any reference to the "Directive 95/46/EC" and the "GDPR" shall be a reference to the Swiss Federal Act on Data Protection. Consequently, all definitions in the Standard Contractual Clauses shall be interpreted in accordance with the Swiss Federal Act on Data Protection and references to the "relevant authorities of the Member State" in the Standard Contractual Clauses shall refer to the relevant data protection authority in Switzerland.
- Data Processor Obligations. The following provisions will apply to any Processor Data set out at Exhibit A processed by or on behalf of you in the provision of Services:
- Instructions of the Data Controller. Xandr will process the Processor Data pursuant only to your instruction unless otherwise required by Law. By using the Services (including as set forth in each Service Agreement and/or your use and configuration of features in the Services), you are deemed to be instructing Xandr to process the Processor Data as reasonably required in order to provide the Services. If, in our opinion, your instructions violate Data Protection Laws, we shall inform you as soon as reasonably practicable.
- Assistance of the Data Controller. Xandr will:
- assist you with your compliance with Data Protection Laws relating to security of processing by complying with Section 5, conducting data protection impact assessments as required by Data Protection Laws or consultations between you and a Supervisory Authority, and
- after becoming aware of a Personal Data Breach, notify you without undue delay and assist you with any required notifications, taking into account the nature of the processing and information available to us.
- Appointment of Sub-Processors. You grant to us general authorization to engage Sub-Processors in connection with providing the Services (including without limitation network infrastructure operators, providers of anti-fraud and reporting services, and other outsourced providers), provided that:
- Xandr and the Sub-Processor enter into an agreement regarding each of our obligations pursuant to Data Protection Laws on terms that are materially at least as protective as these International Data Addendum Terms; and
- we keep you informed of any intended additions to or replacements of our Sub-Processors, as currently listed in our user interface and/or wiki (currently located at: https://wiki.xandr.com/x/4xFxBQ), which may be updated by us from time to time, giving you an opportunity to object to changes on reasonable grounds of non-compliance or material risk of non-compliance by you with Data Protection Laws. Should you so object to our use of a Sub-Processor, you may within a reasonable time after notice of any intended additions or replacements of a Sub-Processor terminate any Order related to an affected Service upon written notice without liability for such termination subject to the terms of the applicable Service Agreement. We remain fully liable to you for the performance of each Sub-Processor's obligations. If you are located within the EEA, the United Kingdom, Switzerland or in Brazil and we use a Sub-Processor that is performing processing services for us from a country not deemed adequate under applicable Data Protection Laws and no legally enforceable mechanism(s) for the transfers of Personal Data (as permitted under Data Protection Laws) is in place in relation to that Sub-Processor, Company instructs and mandates Xandr to sign standard contractual clauses, approved by the applicable authorities under Data Protection Laws, with the Sub-Processor.
- Deletion of Processor Data. When uploading or creating any Segment Data, Company has full control to set the date on which it is deleted. Company can request deletion at any time of Query String Data, Mapping Tables, and data provided to us by or on behalf of you to provide our Yieldex Services.
- Partners and Vendors of Company. If you make any Personal Data accessed or obtained by you through the Services available to any third party, you will execute the appropriate contractual provisions with each such third party, depending on the third party’s role as Data Controller or Data Processor. If and to the extent the third party will process such Personal Data outside of the EEA, the United Kingdom, Switzerland or Brazil, you will ensure a mechanism to achieve adequacy for that processing is in place pursuant to Data Protection Laws.
Annex 1: Nature of the Personal Data processed by us on your behalf
1. Types of Personal Data comprising the Processor Data:
The Personal Data in relation to Data Subjects comprises:
- Identifiers: hashed email addresses, IP Address, data that could be used for device fingerprinting, latitude and longitude
- Demographic information: location, age range, gender, other client-specified demographics (tied to an identifier)
- Behavioral data: inferences about a users’ interests including product interests, website browsing information, transaction data (e.g. online purchases), website registrations (tied to an identifier)
Special Categories of Data:
- Data Controller agrees not to use sensitive categories of data in conjunction with its use of Data Processor’s Service
2. Categories of Data subjects:
Internet users visiting Sites
3. Processing required in performance of the Services:
Currently set forth in the AppNexus user interface and/or wiki (currently located at: https://wiki.appnexus.com/x/yhFxBQ), which may be updated by us from time to time.
4. Duration of the processing:
The duration of the processing will be: until the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Addendum (to the extent applicable).
5. Nature and Purpose of the processing:
The transfer is made for the following purposes:
Personal Data is used in the operation of AppNexus' Services for data segment lookup and to use on behalf of Company (and any Clients permissioned by Company) to forecast the availability of and facilitate Advertising Transactions.
The personal data transferred will also be subject to the following basic processing activities:
- Console: Storage; data segment lookup and use on behalf of Company (and any Clients permissioned by Company) to forecast the availability of and facilitate Advertising Transactions.
- Yieldex: Storage; analytics; forecasting availability on and types of segments and Internet users (and frequency and recency) visiting Company’s Sites.
- OAS: Storage; forecasting availability on Company’s Sites; facilitating the serving of advertisements to Company’s or Company’s Client’s sites.
- Cloud: Storage; load balancing; analytics; content delivery.
Annex 2: Description of the technical and organizational security measures implemented by the data importer:
Data importer will implement measures no less stringent than those set forth in the AppNexus user interface and/or wiki (currently located at: https://wiki.appnexus.com/x/yhFxBQ), which may be updated from time to time.
EXHIBIT B: C2C Clauses Appendices
DATA PROCESSING PRINCIPLES
- Purpose limitation: Personal data may be processed and subsequently used or further communicated only for purposes described in Annex B or subsequently authorised by the data subject.
- Data quality and proportionality: Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.
- Transparency: Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.
- Security and confidentiality: Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.
- Rights of access, rectification, deletion and objection: As provided in Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a third party, be provided with the personal information about them that an organisation holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated. Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organisation may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort. A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the authority.
- Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such sensitive data in accordance with its obligations under clause II.
- Data used for marketing purposes: Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.
- Automated decisions: For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:
- when such decisions are made by the data importer in entering into or performing a contract with the data subject, and
- when the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to that parties.
- where otherwise provided by the law of the data exporter.
DESCRIPTION OF THE TRANSFER
Defined terms are as set out in the International Data Addendum.
The personal data transferred concern the following categories of data subjects:
End users of Company Sites, Client Sites and end users viewing Company Ad Units.
Purposes of the transfer(s)
The transfer is made for the following purposes:
To facilitate advertising to data subjects, including targeted advertising, fraud detection, Ad Inventory analysis, and reporting to Company and AppNexus’s Clients.
Categories of data
The personal data transferred concern the following categories of data:
- Identifiers: Data exporter’s and data importer’s unique identifiers, other identifiers, hashed email address, IP Address, data that could be used for device fingerprinting, latitude and longitude;
- Demographic information: location, age range, gender, other client-specified demographics (tied to an identifier)
- Behavioural data: frequency of identifiers visiting and viewing Company Sites, Client Sites and viewing and taking actions with respect to Company Ad Units.
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
Buyers, Sellers, External Buyers, External Sellers, Affiliates, Clients, Company, Providers, Subcontractors, Supervisory Authorities.
Sensitive data (if appropriate)
The personal data transferred concern the following categories of sensitive data:
Additional useful information (storage limits and other relevant information)
Platform Data is stored using generally accepted security standards. It is usually aggregated or deleted within 30-60 days, but may be retained in the Platform for up to 18 months from the date of collection before aggregation or deletion.