ICON Data Processing Agreement

Last Updated: 9/25/2025

This Data Processing Agreement (“DPA”) sets out the terms, requirements, and conditions on which Icon International, Inc. (“Provider”) will process personal data in providing the services to the listed ‘Purchaser’ or ‘Media Company’ (the “Company”) under the Digital Media Insertion Order, Media Authorization Form, or other applicable agreement(s) (collectively, the “Main Agreement”). Each individually a Party and collectively the “Parties”. This DPA is effective as of the execution date of the Main Agreement.

  1. Definitions.

    1.1 “Business” and “Controller” shall have the meanings ascribed to such terms in Data Protection Law and shall be used interchangeably herein.

    1.2 “Consumer” and “Data Subject” shall have the meanings ascribed to such terms in Data Protection Law and shall be used interchangeably herein.

    1.3 “Company Personal Data” shall mean Personal Data provided or otherwise made available to Provider by Company in connection with the Main Agreement.

    1.4 “Data Protection Law” means all applicable data protection laws and regulations, including, as applicable, but not limited to the California Consumer Privacy Act of 2018 and its amendments including the California Privacy Rights Act (collectively, the “CCPA”), Virginia’s Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), the Oregon Consumer Privacy Act (“OCPA”), the Texas Data Privacy and Security Act (“TXDPSA”), the Montana Consumer Data Privacy Act (“MTCDPA”), the Iowa Consumer Data Protection Act (“IADPA”), the Delaware Personal Data Privacy Act (“DEPDPA”), the Nebraska Data Privacy Act (“NEDPA”), the New Hampshire Privacy Act (“NHPA”), the New Jersey Data Privacy Act (“NJDPA”), the Tennessee Information Privacy Act (“TIPA”), the Minnesota Consumer Data Privacy Act (“MNCDPA”), the Maryland Online Data Privacy Act (“MDODPA”), Indiana Consumer Data Protection Act (“INCDPA”), Kentucky Consumer Data Protection Act (“KYCDPA”), and the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”), as well as Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”), Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, CQLR P-39.1 (the “Quebec Private Sector Act”), and Quebec’s Act to Modernize Legislative Provisions as regards the Protection of Personal Information (“Quebec’s Act 25”).

    1.5 “Personal Data” and “Personal Information” shall have the meanings ascribed to such terms in Data Protection Law and shall be used interchangeably herein.           

    1.6 “Processor” and “Service Provider” shall have the meanings ascribed to such terms in Data Protection Law and shall be used interchangeably herein.

  2. Roles of Parties. The Parties acknowledge and agree that under Data Protection Law, Company is a ‘Controller’ and ‘Business’ under CCPA (or where applicable, Company’s end client is a ‘Controller’ and ‘Business’ under CCPA); and Provider is a ‘Processor’ and ‘Service Provider’ under CCPA operating on behalf of the Controller.           

  3. Compliance With Law. The Parties shall comply with all applicable laws, rules, and regulations, including but not limited to, Data Protection Law. Provider shall at all times comply with Company’s written instructions. Each Party shall promptly inform the other if it is unable to comply with this DPA or Data Protection Law in performing its obligations under the Main Agreement. If the non-complying Party cannot comply within a reasonable period of time or is in substantial or persistent breach of this DPA or Data Protection Law, the complying Party shall be entitled to remediate the non-compliant action and/or terminate the DPA and the Main Agreement insofar as it concerns processing of Company Personal Data.

  4. CCPA. To the extent any “Personal Information” (as such term is defined under the CCPA) is disclosed to, or otherwise made available to Provider under the Main Agreement and is subject to the CCPA, Provider agrees not to: (i) “sell” or “share” the Personal Information as such terms are defined under the CCPA; (ii) retain, use, or disclose Personal Information for any purpose other than those detailed or permitted under the Main Agreement, or as otherwise permitted by the CCPA; (iii) retain, use, or disclose the Personal Information outside of the direct business relationship with Company; (iv) combine Personal Information it receives from Company with Personal Information it receives from or on behalf of another person or collects from its own interactions with consumers, except in connection with the Main Agreement, provided it is permitted under the CCPA.

    4.1 Business Purpose. In accordance with the CCPA, Provider may engage in all of the enumerated, statutory Business Purposes. Provider mainly operates under enumerated Business Purposes 1 and 6, namely: Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards; and providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.

  5. Data Security. Provider will implement appropriate technical and organizational measures designed to safeguard Company Personal Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage.

  6. Data Security Incidents. Provider shall notify Company within seventy-two (72) hours of discovery of an unauthorized access to, acquisition or disclosure of Company Personal Data, or other breach of security with respect to Company Personal Data in Provider’s control or possession (a “Data Security Incident”). If a Data Security Incident requires notice to any regulator, data subject, or other third party, Controller shall have sole control over the content, timing, and method of distribution of any needed notice, unless otherwise required by applicable law.

  7. Provider Personnel. Provider shall take reasonable steps to ensure that access to the Company Personal Data is limited on a need to know/access basis and that all Provider personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access and processing of Company’s Personal Data.

  8. Data Retention and Deletion. Provider shall retain Company Personal Data for only so long as necessary to perform its obligations under the Main Agreement, unless otherwise required under applicable laws. Upon Company’s written request and election, Provider shall destroy or return to Company all Company Personal Data in its possession, custody, and control, except for such Company Personal Data as must be retained under applicable law (which Provider shall destroy once it is no longer required under applicable law to retain).

  9. Data Subject Rights. If Provider receives a request from a Data Subject relating to their Personal Data processed in connection with the Main Agreement, Provider shall forward the request to the Company and provide all reasonable cooperation necessary for the Controller to fulfill the Data Subject’s request in compliance with applicable laws.

  10. Data Protection Impact Assessment & Assistance. Where required by Data Protection Law, Provider shall provide reasonable assistance to Controller with any data protection impact assessments, audits, certifications, or other assessment, in relation to processing of Personal Data by Provider.

  11. Audit. Upon the reasonable request of the Company, Provider shall make available to Company all information in its possession necessary to demonstrate Provider’s compliance with the obligations described in this DPA. and shall allow for, and cooperate with, reasonable assessments by Company or the Company’s designated assessor. Company shall not use such audit report for any other purpose than to assess Provider’s compliance with this DPA. Company shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate the Provider’s unauthorized use of personal information.

  12. Government Requests. Unless legally prohibited, each Party shall promptly inform the other Party if it receives a request or demand from a governmental or regulatory body relating to Provider’s processing of Personal Data in relation to the Main Agreement and shall fully cooperate with the other Party in connection with any response to such request or demand.

  13. Subprocessors. Controller authorizes Provider to appoint subprocessors in accordance with this DPA. With respect to each subprocessor, Provider shall ensure that the arrangement between Provider and the subprocessor is governed by a written contract, including terms which, to the extent applicable to the nature of services provided by the subprocessor, are no less restrictive and at least equally protective of Personal Data than those imposed on Processor under this DPA.

  14. Termination and Survival. This DPA and all provisions herein shall survive to the extent, and for so long as, Provider processes or retains Company Personal Data.

  15. Conflicts. In case of contradictions between this DPA and the provisions of the Main Agreement, the provisions of this DPA shall prevail.

  16. Applicable law and jurisdiction. The applicable law and jurisdiction as set forth in the Main Agreement apply to this DPA.