Exhibit A

Data Processing Agreement (“DPA”)
  1. Definitions
    1. DP Laws” means any applicable data protection and privacy laws relating to the protection of individuals with regards to the processing of personal data, including but not limited to (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) the GDPR as transposed into the national laws of the United Kingdom (“UK GDPR”); (iii) Directive 2002/58/EC (“ePrivacy Directive”); (iv) the UK Data Protection Act 2018; (v) U.S. Data Protection Laws; and (vi) any corresponding or equivalent laws or regulations including any amendment, supplement, update, modification to or re-enactment of such laws;
    2. “Controller,” “Data Subject,”deidentified information,” “Personal Data,” “Personal Data Breach,” “Process/Processing,” “Sub-Processor” and “Supervisory Authority” shall have the same meaning as ascribed to them in the DP Laws and for the purposes of this DPA the term “Personal Data” shall include the definitions for “Personal Information” as such term is defined under DP Laws;
    3. Legal Process” means any criminal, civil, or administrative subpoena, mandatory request, warrant or court order issued by a Public Body, including but not limited to subpoenas, warrants and orders authorized under local, regional, state, national and/or federal laws or regulations or any other laws applicable to Customer in any Restricted Country;
    4. Public Body” means any local, regional, state, national or federal law enforcement authority, regulator, government department, agency or court in any Restricted Country;
    5. Restricted Country” means any country: (i) which is not a member of the European Economic Area; or (ii) which has not been approved by the European Commission or the UK Government pursuant to Article 45 of the GDPR or the UK GDPR (as applicable), as ensuring an adequate level of data protection in relation to Personal Data;
    6. “Restricted Transfer” means a transfer of Personal Data between the Parties which in the absence of the SCCs, would be unlawful under DP Laws;
    7. SCCs” means: (i) the standard contractual clauses set out in Commission Implementing Decision (EU)2021/914 for the transfer of Personal Data to third countries pursuant to GDPR as updated, amended, replaced and superseded from time to time (“EU SCCs“); or (ii) the EU SCCs read in accordance with, and deemed amended by the UK IDTA; and
    8. UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A (1) Data Protection Act 2018.
    9. U.S. Data Protection Laws” means applicable United States federal, state and local laws and regulations related to privacy, consumer and data protection, communications, recording, surveillance, artificial intelligence, profiling and security, including, but not limited to, the California Consumer Privacy Act of 2018, as amended (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Personal Data Privacy and Online Monitoring Act, the Utah Consumer Privacy Act, and any other similar U.S. laws.
  1. Data Processing and Roles
    1. The Parties acknowledge that each will be a separate and distinct independent controller in relation to the Personal Data which they Process in connection with the IO, and the Parties shall each comply with their respective obligations under the DP Laws in respect of their processing of such Personal Data.
    2. Each Party will, upon the request of the other Party, provide all assistance, information and cooperation reasonably necessary to enable the other Party to comply with DP Laws in relation to the Personal Data, in particular with respect to responding to requests by Data Subjects and/or Supervisory Authorities, and Personal Data Breaches.
  2. Restricted Transfers
    1. If there are Restricted Transfers of Personal Data, the following terms shall apply. In each case, the data exporter is Publisher and the data importer is Advertiser, and the description of the transfer (Annex I of the EU SCCs; Annex B of the UK SCCs) is as set out in Annex 1 to this DPA:
    2. With respect to Restricted Transfers subject to the EU GDPR, Module 1 of the EU SCCs shall apply and is hereby incorporated into this DPA by reference. Clause 7 and the optional language in clause 11(a) shall not apply, the Supervisory Authority for the purposes of clause 13(a) shall be the Federal Financial Supervisory Authority in Germany and the governing law and choice of forum and jurisdiction shall be that of the Federal Republic of Germany solely for the purposes of the EU SCCs, and the technical and organizational security measures shall be as set out in Annex 2.
    3. With respect to Restricted Transfers subject to the UK GDPR, the EU SCCs shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, and the parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in the Annex to this DPA except that for the purposes of table 2 of Part 1 (Tables), the parties select the “importer” option.
    4. In the event that the SCCs are at any time no longer deemed to provide adequate protection for Personal Data so transferred, the parties shall enter into and/or adopt an alternative data transfer mechanism that effectively complies with DP Laws.
  3. Additional Terms for U.S. Data Protection Laws. 
    1. The Parties agree to use Personal Data, if any, for the limited and specified purpose(s) identified in the IO and agrees that each is making the Personal Data available to the other Party only for such limited and specified purposes.
    2. Each Party shall comply with all obligations applicable under U.S. Data Protection Laws and shall provide the same level of privacy and security protection as is required by U.S. Data Protection Laws.
    3. A Party may require the other Party to attest that the other Party treats the Personal Data made available to the other Party in the same manner that the Party is obligated to treat the Personal Data under the CCPA.
    4. To the extent required by applicable U.S. Data Protection Laws, if a Party discloses or otherwise makes available de-identified information to the other Party, the other Party agrees to: (i) take reasonable measures to ensure that the de-identified information cannot be associated with a consumer or household; (ii) publicly commit to maintain and use the de-identified information in its de-identified form and not attempt to reidentify the information; and (iii) contractually obligate any further recipient to comply with all provisions of applicable U.S. Data Protection Laws.
    5. Each Party may take reasonable and appropriate steps to ensure that the other Party uses Personal Data transferred to it in a manner consistent with the Party’s obligations under DP Laws. A Party may, upon reasonable notice to the other Party, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
    6. Each Party shall promptly notify the other Party if a Party determines that it can no longer meet its obligations under U.S. Data Protection Laws.
  4. Termination
    The Parties agree that this DPA and the SCCs shall terminate automatically upon the termination of the IO.
  1. General Terms
    1. Any obligation imposed on the Parties under this DPA in relation to the Processing of Personal Data shall survive any termination or expiration of the IO.
    2. Any breach of this DPA shall constitute a material breach of the IO.
    3. A person who is not a party to this DPA shall have no right to enforce any term of this DPA, save to the extent set out in the relevant SCCs. The rights of the Parties to rescind or vary this DPA are not subject to the consent of any other person.
    4. The provisions of this DPA are supplemental to the IO. In the event of inconsistencies between the provisions of this DPA and the IO, the provisions of this DPA shall prevail.

ANNEX 1: DESCRIPTION OF THE PROCESSING – BUSINESS INFORMATION

Part 1: List of Parties:

Data exporter(s): Publisher (as controller)

Data importer(s): Advertiser (as controller)

Part 2: Description of Transfer:

  1. Categories of Data Subjects whose Personal Data is transferred:

End Users of Publisher’s application. 

  1. Categories of Personal Data transferred: ClickID
  1. Sensitive data transferred (if applicable) and applicable restrictions or safeguards: Not applicable.
  1. The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Personal Data is transferred on a continuous basis.
  1. Nature of the Processing:

The Personal Data transferred will be subject to the following basic processing activities, in each case strictly to the extent relevant to and in accordance with the obligations of the Parties under the IO: (i) retrieval, consultation or use of the Personal Data and (ii) alignment, combination, blocking, erasure or destruction of the personal data.

  1. Purpose(s) of the data transfer and further Processing: The Personal Data shall be Processed in order to fulfill the terms of the IO.
  1. The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: In line with each Party’s retention policies.
  1. The Personal Data transferred may be disclosed only to the following recipients or categories of recipient:

Representatives of each Party.

Part 3: Competent Supervisory Authority(ies):

Identify the competent supervisory authority(ies) in accordance with clause 13 of the EU Controller SCCs.

The Federal Financial Supervisory Authority in Germany.

Annex 2: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Each Party shall implement appropriate technical and organizational measures, policies and controls to maintain the effective security of all of their computer or network systems accessing, storing, transmitting, processing or otherwise supporting the processing of Personal Data in accordance with this DPA, and to ensure that such Personal Data is protected from accidental, unauthorized or unlawful processing, access, disclosure, loss, alteration, damage or destruction.

At a minimum, each Party shall ensure compliance with the requirements described at: https://mvsp.dev/mvsp.en/index.html.