This Data Processing Addendum (“DPA”) forms part of each agreement with PostPilot, Inc., a Delaware corporation with a principal office at 110 Commercial Road, Suite C, Spartanburg SC 29303 (“PostPilot”) that incorporates this DPA by reference (“Agreement”). References to “Customer” in this DPA refer to the counterparty to the applicable Agreement. This DPA applies only to PostPilot’s Services and does not apply to any service the Customer purchases from any third party other than PostPilot. 

Unless otherwise expressly defined herein, the capitalized terms used in this DPA have the meanings assigned to them in the Agreement.

“Attribution Purposes” shall have the meaning set out in Section 5 of this DPA. 

“Business” or “Controller” shall mean an entity that determines the purposes and means of Processing of Personal Information.

“Consumer” shall mean the individual to whom Personal Information relates.

"Covered Controller Data" means the Personal Data which the Parties will Process as a Controller or as a Business (as applicable) that is: (a) provided by or on behalf of the Customer to PostPilot in connection with the Services as further described in Section 1 of this DPA, and (b) PostPilot Data.  

"Covered Data" means Covered Controller Data and Covered Processor Data.

“Covered Processor Data” means the Personal Data provided by or on behalf of the Customer to PostPilot in connection with the Services, and which PostPilot Processes as a Processor or as a Service Provider (as applicable), as further described in Section 1 of this DPA. 

“Data Protection Laws” means any applicable local, state and federal laws, rules and regulations in the United States relating to the use, collection, retention, storage, security, disclosure, transfer, sale or other Processing or Personal Information.

“Personal Data” means any data or information that: (a) is linked or reasonably linkable to an identified or identifiable natural person; or (b) is otherwise “personal data,” “personal information,” “personally identifiable information,” or similarly defined data or information under applicable Data Protection Laws.

“PostPilot Data” means data generated, sourced, created or maintained by PostPilot in connection with the Services, other than Covered Processor Data and content. PostPilot Data may include Personal Data sourced from third party data providers.

“Process” or “Processing” means any operation or set of operations performed, whether by manual or automated means, on information or on sets of information, such as the collection, use, storage, disclosure by transmission, dissemination or otherwise making available, alignment or combination, analysis, restriction, deletion, or modification of information.

“Service Provider” or “Processor” shall mean an entity that Processes Personal Information on behalf of a Business or Controller.

“Services” means the services to be provided by PostPilot to Customer under the Agreement. 

“Transactional Data” means Personal Data provided in a customer’s order history, including but not limited to contact information, billing name and address, or shipping name and address. 

The parties agree as follows: 

1. Covered Data Processing Details.

     1.1. Covered Processor Data Processing Activities include: Customer lists (including “seed file”          customer lists) or Transactional Data provided by or on behalf of Customer (including, for example,          through third party data providers with whom Customer has a direct agreement with and          designates PostPilot as its agent).

     1.2. Covered Controller Data Processing Activities include: (a) PostPilot Data such as targeting lists          from third party data services with whom Customer does not have a direct agreement sourced, for          example, (i) based on Customer’s requests (i.e., demographics, geographic, saturation data), or (ii)          based on information collected by PostPilot and/or PostPilot’s third party providers via pixel or          other tracking technologies on Customer’s website, and (b) mail files used by PostPilot (or that are          provided to Customer) for Attribution Purposes.

2. Compliance with Laws.

     2.1. Each party will comply with its obligations under Data Protection Laws. Without limiting the          foregoing, (i) Customer will have the right to take reasonable and appropriate steps to ensure that          PostPilot uses Covered Data in a manner consistent with Customer’s obligations under Data          Protection Laws; and (ii) PostPilot will notify Customer promptly if PostPilot determines that it can          no longer meet its obligations under Data Protection Laws.‍

     2.2. Customer will inform PostPilot of any Consumer request made pursuant to Data Protection Laws          that PostPilot must comply with and provide the information necessary for PostPilot to comply with          the request.

3. PostPilot's Obligations.

     3.1. Processing of Covered Controller Data

          3.1.1. The Parties acknowledge and agree that the Covered Controller Data is made available to,                    Sold to or Shared with PostPilot, and PostPilot shall Process such Covered Controller Data,                    solely for the Services.

         3.1.2.  The Parties understand and acknowledge that the Covered Controller Data will be processed                      by PostPilot in accordance with the PostPilot Privacy Notice, which can be found at                      https://www.postpilot.com/privacy-policy (“Privacy Notice”).

     3.2. Processing of Covered Processor Data

          3.2.1. PostPilot will Process Covered Processor Data for the purpose of providing the Services set                 forth in the Agreement and in accordance with Customer’s instructions set forth in the                 Agreement or in writing.  Without limiting the foregoing, PostPilot is prohibited from: (i) selling                 Covered Processor Data or otherwise making Covered Processor Data available to any third                 party for monetary or other valuable consideration; (ii) sharing Covered Processor Data with                 any third party for cross-context behavioral advertising; (iii) retaining, using, or disclosing                 Covered Processor Data for any purpose other than for the business purposes specified in this                 Agreement or as otherwise permitted by Data Protection Laws; (iv) retaining, using, or                 disclosing Covered Processor Data outside of the direct business relationship between the                 parties; (v) to the extent prohibited by Data Protection Laws, combining Covered Processor                 Data with other information that PostPilot receives from or on behalf of another person or                 persons, or collects from its own interaction with the Consumer. ‍

          3.2.2. PostPilot will limit access to Covered Processor Data to personnel who have a business need                  to have access to such Covered Processor Data and will ensure that such personnel are                  subject to obligations at least as protective of the Covered Processor Data as the terms of this                  DPA and the Agreement. Notwithstanding the foregoing, nothing in this DPA shall restrict                 PostPilot’s ability to disclose Covered Processor Data (i) to a subcontractor for a business                 purpose pursuant to a written agreement to protect the confidentiality of Covered Processor                 Data, (ii) to a third party as necessary to comply with applicable laws, or (iii) as otherwise                 permitted by the Data Protection Laws. 

          3.2.3. PostPilot will be liable to Customer for the acts or omissions of any subcontractor or other                 third party to whom PostPilot has disclosed or permitted to access Covered Processor Data as                 if they were acts or omissions of PostPilot. PostPilot will not permit any subcontractor to                 Process Covered Processor Data, unless PostPilot and the subcontractor have entered into an                 agreement that imposes obligations on the subcontractor that are no less restrictive and at                 least equally protective of Covered Processor Data than those imposed on PostPilot under this                 DPA. PostPilot is responsible for ensuring the compliance of Subcontractor with applicable Data                 Protection Laws in connection with the Processing of Covered Processor Data.

          3.2.4. PostPilot agrees to reasonably cooperate with Customer, at Customer’s expense, to assist                 Customer with ensuring its compliance with Data Protection Laws, including to respond to                 requests for access, knowledge, deletion, or rectification in relation to Covered Processor Data.                 If and to the extent Customer instructs PostPilot to delete Covered Processor Data in response                 to a Consumer request received by Customer, PostPilot agrees to delete or de-identify such                 information within thirty (30) days of receipt of the request. For the avoidance of doubt,                 PostPilot shall have no obligation to delete information that has been de-identified or                 aggregated or information relating to Customer’s use of the Service that is not Covered                 Processor Data.

          3.2.5. PostPilot shall implement and maintain reasonable security procedures, practices, and                 controls, as may be appropriate based on the nature of the information, designed to protect                 Covered Processor Data from unauthorized access or destruction.

4. Third Party Licensed Data. To the extent Customer incorporates third party data services into the PostPilot Services, for example, to append or supplement Covered Data with data from third party providers (“Third-Party Licensed Data”) pursuant to an agreement between Customer and such third-party provider:

          4.1.1. Customer is solely responsible for ensuring compliance with its obligations under such                  third-party agreements to which it is a party and with Data Protection Laws applicable to such                 activity in relation to Customer’s use of the PostPilot Services. 

          4.1.2. By instructing PostPilot to disclose Covered Data to such third-party provider for the purpose                 of generating Third-Party Licensed Data for or on behalf of Customer, Customer represents and                 warrants that it has all necessary rights and consents needed to support such instruction. 

          4.1.3. To the extent Customer provides Third-Party Licensed Data to PostPilot, or instructs such                 third-party provider to deliver Third-Party Licensed Data to PostPilot on Customer’s behalf,                 PostPilot shall collect, use, retain and disclose such Third-Party Licensed Data in the same                 manner as PostPilot shall use Covered Data pursuant to this DPA.

5. Attribution. In certain circumstances, PostPilot may provide Customer with PostPilot Data, which could include Third-Party Licensed Data, generated in connection with certain Services. Customer warrants and agrees that Customer shall use and retain such data solely for internal analytics and attribution purposes (“Attribution Purposes”), and for no other purpose, commercial or otherwise, including for marketing purposes. Customer shall have no right to share, disclose or sell PostPilot Data to any third party without prior written approval from PostPilot. Customer warrants and agrees that it shall erase or otherwise destroy any PostPilot Data provided by PostPilot within thirty (30) days from the completion of the Services for which such data was provided, unless otherwise permitted by the applicable data provider and/or PostPilot, as applicable, in writing. Customer is solely responsible for ensuring that its receipt and use of any Third-Party Licensed Data is permitted by the applicable agreement between Customer and the relevant data provider.

6. IP Retargeting Services.

     6.1. In relation to the IP Retargeting Services, the Parties agree to comply with any and all applicable          laws, regulations, and industry guidelines and standards regarding consumer notice and choice          about online marketing, including, but not limited to, the guidelines set forth by the Network          Advertising Initiative ("NAI") and the Digital Advertising Alliance ("DAA"). ‍

     6.2. Customer will comply with all applicable privacy and data protection laws, rules, and regulations,          and will notify website visitors that:

          6.2.1. Data may be collected on Customer websites by third parties using cookies, pixels, web                 beacons and/or other technology for advertising purposes and a description of the data to be                 collected, including, at a minimum, IP Address, the advertising IDs, and other unique identifiers                 that are linked or reasonable linkable to a particular computer or device (such as DII), date and                 time stamps, header and referrer URL data, and information about the visitor's activities on the                 site ("Log Data");

          6.2.2. Customer uses third party services to facilitate and personalize on and offline                 communication about products and services that may be of interest to Consumers based on                 their activities on the website and other interactions with the Customer;

          6.2.3. Information regarding Consumer's ability to opt-out of the use of cookies for interest-based                 advertising, including a link to http://optout.networkadvertising.org/#!/ and/or a link to Neustar                 Information Services, Inc.'s opt-out page at: https://www.neustar.biz/privacy/opt-out.

7. Other Data Obligations.

     7.1. Customer acknowledges and affirms that it has provided all notices to Consumers required under          Data Protection Laws in connection with the Services (if any) and obtained all consents from          Consumers required under Data Protection Laws in connection with the Services (if any).  

     7.2. Customer shall not submit or cause to be submitted to PostPilot any data that includes (i) a social          security number, passport number, driver’s license number, or similar identifier, credit card or debit          card number, employment, financial or health information; (ii) Personal Data relating to a resident of          the European Economic Area or which may be subject to the General Data Protection Regulation          (GDPR); (iii) Personal Data relating to an individual under eighteen (18) years of age; (iv) Personal          Data relating to any individual that has withdrawn consent or exercised a right to opt-out; or (v) any          other information which may be subject to additional protections under applicable laws or          regulations including, but not limited to, the Gramm-Leach-Bliley Act (GLBA) or the Health          Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act          (COPPA), or which could give rise to notification obligations under data breach notification laws,          without PostPilot’s prior written approval. 

     7.3. PostPilot shall have the right to take reasonable and appropriate steps to ensure that Customer          uses the PostPilot Data in a manner consistent with PostPilot’s obligations under Data Protection          Laws. In addition, PostPilot shall have the right take reasonable and appropriate steps to stop and          remediate unauthorized use of PostPilot Data.

     7.4.Customer shall promptly notify PostPilot after it makes a determination that it can no longer meet          its obligations under Data Protection Laws.

8. Data Security. PostPilot will implement appropriate technical and organizational measures designed to safeguard Covered Processor Data against unauthorized or unlawful Processing, and against accidental loss, destruction or damage. PostPilot will document those measures in writing and periodically review them to ensure they remain current and complete, at least annually. 

9. Data Security Incidents. PostPilot shall promptly notify Customer in the event of unauthorized access to, acquisition or disclosure of unencrypted Covered Processor Data in PostPilot’s or its agent’s control or possession (a “Data Security Incident”). If, and to the extent, that a Data Security Incident requires notice to any regulator, Consumer or other third party under applicable law, Customer shall have sole responsibility for the content, timing and method of distribution of any such notice, unless otherwise required by applicable law. PostPilot will provide reasonable cooperation with Customer’s investigation of the Data Security Incident.

10. Data Retention and Deletion. PostPilot shall retain Covered Processor Data for only so long as necessary to perform its obligations under the Agreement, unless otherwise required under applicable laws. Upon termination or expiration of the Agreement or earlier as requested by Customer, PostPilot shall delete or return to Customer (at Customer’s election) all Covered Processor Data in its possession, custody and control, except for such Personal Data as must be retained under applicable law (which PostPilot shall delete once it is no longer required under applicable law to retain).

11. Termination and Survival. This DPA and all provisions herein shall survive so long as, and to the extent that, PostPilot Processes or retains Covered Processor Data, or Customer Processes or retains PostPilot Data.

‍12. Conflicts. In case of contradictions between this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

13. Applicable Law and Jurisdiction. The applicable law and jurisdiction as set forth in the Agreement apply to this DPA.