WHEREAS, Falcon Digital Labs LLC (“Falcon”) provides certain services to Publisher pursuant to the Publisher Agreement (“Main Agreement”); and WHEREAS, in the course of providing such services, Falcon may process Personal Data on behalf of Publisher; and WHEREAS, the parties wish to ensure that such processing is conducted in compliance with Applicable Law; NOW, THEREFORE, the parties agree as follows:
1. Definitions
1.1 “Applicable Law” means all data protection and privacy laws of the United States, including but not limited to the CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA, and any successor or implementing legislation, as well as GDPR and UK GDPR where applicable. For clarity, where processing is subject to GDPR, UK GDPR, or Swiss Data Protection Laws, the additional terms set forth in Appendix B (GDPR Addendum) shall apply.
1.2 “Business” means the entity that determines the purposes and means of processing of Personal Data.
1.3 “Service Provider” means the entity that processes Personal Data on behalf of a Business.
1.4 “Publisher Personal Data” means Personal Data disclosed by Publisher to Falcon in connection with the Services.
1.5 “Referral Data” means Personal Data, if any, provided to Falcon in connection with an end user’s acceptance of an offer facilitated through Falcon. For clarity, where Falcon does not receive such information, no Referral Data shall arise.
1.6 “Falcon Data” means data generated, derived, or aggregated from operation of the Falcon platform which does not identify an individual, including de-identified, pseudonymized, or anonymized data.
1.7 “Security Incident” means any confirmed or reasonably suspected unauthorized or unlawful access, disclosure, alteration, loss, or destruction of Personal Data.
1.8 Other capitalized terms not defined herein shall have the meaning set forth in the Main Agreement.
2. Roles of the Parties
2.1 Publisher is a Business with respect to Publisher Personal Data.
2.2 Falcon is a Service Provider with respect to Publisher Personal Data.
2.3 Falcon and Publisher are independent Businesses with respect to Referral Data, each independently responsible for compliance with Applicable Law.
2.4 Falcon is a Business with respect to Falcon Data, which Falcon may use for its own legitimate business purposes, provided it does not re-identify any individual.
3. Processing Instructions
3.1 Falcon shall process Publisher Personal Data only in accordance with Publisher’s documented instructions (including the Publisher Agreement), except where otherwise required by Applicable Law.
3.2 Falcon shall not sell or share Publisher Personal Data or retain, use, or disclose such data for any purpose other than provision of the Services.
3.3 Falcon shall not combine Publisher Personal Data with Personal Data received from another source, except as necessary to perform the Services or as otherwise permitted by law.
4. Falcon’s Service Provider Obligations
4.1 Purpose Limitation. Falcon shall process Publisher Personal Data solely to provide the Services under the Main Agreement.
4.2 Confidentiality. Falcon shall ensure all personnel authorized to process Publisher Personal Data are bound by confidentiality obligations.
4.3 Subprocessing. Falcon shall maintain a current list of Subprocessors used in connection with the Services and make such list available to Publisher upon request. Falcon shall provide Publisher with reasonable advance notice of any new Subprocessor. Publisher may object to such new Subprocessor on reasonable data protection grounds within thirty (30) days of notice. In such case, the parties shall discuss in good faith to resolve the objection. Falcon shall ensure that all Subprocessors are bound by written agreements imposing data protection obligations no less protective than those in this Agreement, and Falcon shall remain fully liable for all acts and omissions of its Subprocessors.
4.4 Data Subject Rights. Falcon shall, to the extent legally permitted, promptly notify Publisher of any request received from a Data Subject relating to Publisher Personal Data. Falcon shall not respond to any such request except on the documented instructions of Publisher, unless otherwise required by law. Taking into account the nature of the processing, Falcon shall provide Publisher with reasonable assistance by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Publisher’s obligation to respond to verified requests by Data Subjects to exercise their rights under Applicable Law, including rights of access, rectification, deletion, restriction, portability, and opt-out.
4.5 DPIAs and Regulator Cooperation. Falcon shall provide reasonable assistance, at Publisher’s cost, with Data Protection Impact Assessments and regulatory inquiries relating to Publisher Personal Data.
4.6 Security Incidents. Falcon shall notify Publisher without undue delay upon becoming aware of a Security Incident and provide all information reasonably required for Publisher to comply with its legal obligations.
4.7 Return or Deletion. Upon termination, Falcon shall delete or return Publisher Personal Data at Publisher’s option, except where retention is required by law or necessary for the establishment, exercise, or defense of legal claims.
4.8 Audit Rights. Falcon shall make available information necessary to demonstrate compliance and allow for audits once per year, or more frequently if required by a regulator or in case of a Security Incident.
5. Publisher’s Obligations
Publisher shall ensure that it has a lawful basis for the collection and disclosure of Publisher Personal Data, provide all required notices and consents, and independently fulfill its obligations as a Business under Applicable Law. Where required under Applicable Law, the Publisher shall include the relevant disclosures for the operation of Falcon services to each end customer.
6. Referral Data
With respect to Referral Data, Falcon and Publisher shall each act as independent Businesses. Each party shall provide notices, obtain consents, and respond to rights requests as required by Applicable Law. Falcon may use Referral Data solely to deliver or facilitate offers, measure performance, and comply with law.
7. Falcon Data
Falcon shall be a Business with respect to Falcon Data. Falcon may use Falcon Data for service improvement, analytics, fraud detection, benchmarking, and product development, provided Falcon shall not use Falcon Data to re-identify any individual.
8. International Transfers
Falcon may transfer Personal Data outside the region in which it was collected only with appropriate safeguards, such as Standard Contractual Clauses or equivalent mechanisms, unless Applicable Law permits otherwise.
9. Costs and Allocation of Responsibility
Each party shall bear its own costs of complying with this Agreement. Falcon may charge Publisher for reasonable costs incurred in providing assistance not expressly included in the Services, including audits, DPIAs, and regulator consultations.
10. Liability and Indemnification
Liability for breaches of this Agreement shall be governed by the Main Agreement. Each party agrees to indemnify the other against losses arising from its own breach of this Agreement or Applicable Law.
11. Term and Termination
This Agreement shall remain in effect for as long as Falcon processes Publisher Personal Data. Sections relating to confidentiality, Falcon Data, and limitations of liability shall survive termination.
12. Miscellaneous
12.1 Governing Law. This Agreement shall be governed by the laws specified in the Main Agreement.
12.2 Order of Precedence. In the event of a conflict, this Agreement shall control with respect to the subject matter herein.
12.3 Severability. If any provision is held invalid, the remainder shall continue in full force and effect.
12.4 Notices. Notices under this Agreement shall be provided in accordance with the Main Agreement.
Annex A – Data Processing Schedule
Categories of Data Subjects
End users of Publisher’s services.
Types of Personal Data
Name, email, mobile number, transaction details, address, device/browser identifiers, location data, usage logs.
Sensitive data
None expected.
Purposes of Processing
Delivering offers, analytics, targeting, fraud detection, personalization, campaign measurement, compliance.
Lawful Basis
As determined by Publisher; typically consent, performance of contract, or legitimate interest.
Retention
For the duration of the Main Agreement or as required by law; de-identified or anonymized thereafter.
Cross-Border Transfers and Safeguards
Standard Contractual Clauses or other lawful mechanisms where required.
Contact points for data protection enquiries
privacy@falconlabs.us
Appendix B
GDPR Addendum
This Appendix B (the “GDPR Addendum”) supplements the Falcon Labs Data Processing Agreement (the “Agreement”) where and to the extent that Falcon processes Publisher Personal Data subject to the GDPR, UK GDPR, or Swiss Data Protection Laws. Capitalized terms not defined herein have the meanings set forth in the Agreement.
1. Roles of the Parties
1.1 For purposes of the GDPR and corresponding laws:
- Publisher acts as “Controller”;
- Falcon acts as “Processor” when processing Publisher Personal Data;
- Where Publisher acts as a Processor for its own customer, Falcon shall be deemed a “Sub-processor.”
1.2 The parties acknowledge that Falcon remains an independent Controller with respect to Falcon Data and Referral Data, as set out in the Agreement.
2. Instructions
Falcon shall process Publisher Personal Data only on documented instructions from Publisher, unless required by EU, Member State, UK, or Swiss law to do otherwise. Falcon shall promptly inform Publisher if it believes an instruction infringes Applicable Law.
3. Sub-processors
3.1 Publisher provides Falcon with a general authorization to engage Sub-processors. Falcon shall maintain a list of current Sub-processors and provide Publisher with prior notice of any changes.
3.2 Publisher may object on reasonable data protection grounds within thirty (30) days of notice. If no resolution is reached, Publisher may terminate the affected Services.
3.3 Falcon shall ensure Sub-processors are bound by written agreements affording protections no less protective than this GDPR Addendum. Falcon remains fully liable for its Sub-processors.
4. Data Subject Rights
Taking into account the nature of the processing, Falcon shall assist Publisher by appropriate technical and organizational measures to enable Publisher to respond to Data Subject requests under Articles 15–22 GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. Falcon shall not respond to Data Subject requests without Publisher’s instructions, unless legally required.
5. Security Measures
5.1 Falcon shall implement appropriate technical and organizational measures designed to protect Publisher Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
5.2 Such measures are described in Schedule 1 (Technical and Organizational Measures) attached hereto.
6. Security Incidents
Falcon shall notify Publisher without undue delay after becoming aware of a Security Incident involving Publisher Personal Data and shall provide reasonably available information to assist Publisher in meeting its notification obligations under Articles 33–34 GDPR.
7. Return and Deletion
Upon termination of the Services, Falcon shall, at Publisher’s option, return or delete Publisher Personal Data. Falcon may retain a copy only as required by law or necessary to establish, exercise, or defend legal claims, subject to ongoing confidentiality and security obligations.
8. International Transfers
8.1 Where Falcon transfers Publisher Personal Data outside the EEA, UK, or Switzerland, such transfers shall be made pursuant to:
· the EU Standard Contractual Clauses (Commission Decision (EU) 2021/914), Modules Two (Controller to Processor) and Three (Processor to Processor);
· the UK Addendum issued by the UK Information Commissioner; and/or
· the Swiss Addendum issued under Swiss Data Protection Law,
as further specified in Schedule 2 (Cross-Border Transfer Terms).
8.2 Falcon shall provide reasonable cooperation for transfer impact assessments (TIAs) and supplementary measures required under Applicable Law.
9. Assistance with DPIAs and Supervisory Authorities
Falcon shall provide reasonable assistance to Publisher, at Publisher’s expense, with Data Protection Impact Assessments and consultations with supervisory authorities related to Publisher Personal Data.
10. Order of Precedence
In case of conflict, this GDPR Addendum (including Schedules) prevails over the Agreement, but only with respect to processing subject to GDPR, UK GDPR, or Swiss Data Protection Laws.
Schedule 1 – Technical and Organizational Measures
Falcon implements, at a minimum:
- Access Controls: Role-based access, least privilege, strong authentication, revocation on termination.
- Encryption: Industry-standard encryption of Publisher Personal Data in transit and at rest.
- Logging & Monitoring: System activity and access logging with routine review.
- Incident Response: Documented incident response plan with escalation procedures.
- Physical Security: Restricted access to data centers and secure server environments.
- Business Continuity: Disaster recovery and backup processes.
- Vendor Oversight: Regular assessments of Sub-processors’ security practices.
Schedule 2 – Cross-Border Transfer Terms
1. EU SCCs: The parties incorporate the EU Standard Contractual Clauses, Modules Two and Three, with Falcon as “data importer” and Publisher as “data exporter.”
2. UK Addendum: The Approved Addendum (version B.1.0, or successor) issued by the UK ICO applies.
3. Swiss Addendum: Transfers subject to Swiss law shall be governed by equivalent clauses adapted for Swiss requirements.
4. Supplementary Measures: Falcon will implement additional safeguards (e.g. encryption, minimization, internal policies, and transparency commitments) as reasonably necessary to ensure an essentially equivalent level of protection.