(Controller – Processor)

This Global Data Protection and Information Security Agreement (“DPA”) is made part of an agreement with Paramount Global and/or one or more of its Affiliates (such party(ies), as applicable, “Paramount”) which makes reference to this DPA or the URL at which this DPA is located (the “Agreement”). This DPA does not limit other obligations of Vendor, including, without limitation, any obligations under the Agreement or laws that apply to Vendor or to Vendor’s performance under the Agreement. In the event of a conflict between the DPA, the Agreement or any applicable security requirements, the requirement that is most restrictive and protective of Paramount, as determined by Paramount in its sole discretion, shall apply unless otherwise expressly agreed upon in writing by Paramount.


1.1 Capitalized terms defined below shall have the meanings set forth herein, whether or not such terms are otherwise defined in the Agreement. Capitalized terms used but not otherwise defined in this DPA shall have the meanings assigned to such terms in the Agreement.

1.2 “Affiliate” means an entity, directly or indirectly, controlling, controlled by, or under direct or indirect common control with a party.

1.3 “Argentinian Model Clauses” mean the model contract titled Contrato modelo de transferencia internacional de datos personales con motivo de prestación de servicios as adopted by the Data Protection Agency of the Republic of Argentina under Disposition 60- E/2016.

1.4 “Business Purpose” will have the meaning set forth in Section 140 (e) of the CCPA or as similarly defined in applicable Data Protection Laws.

1.5 “Data Protection Laws” mean any applicable law, treaty, statute, regulation, ordinance, order, directive, code, or other rule, or any administrative guidance or industry self- regulatory rules or guidelines regarding the same, whether of or by any legislative, administrative, judicial, or other Governmental Entity, that governs or relates to the confidentiality, security, privacy, or Processing of Personal Data or otherwise regulates marketing communications, data protection, or Security Incident management and/or notification including without limitation: the EU General Data Protection Regulation (EU) 2016/679 (“GDPR”); the United Kingdom General Data Protection Regulation (“UK GDPR”); the Swiss Federal Act on Data Protection (“FADP”); the California Consumer Privacy Act of 2018, Cal. Civil Code section 1798.100 et seq., as amended (“CCPA”), and other applicable state and federal United States privacy laws (together with the CCPA, “US Privacy Laws”); and the Brazilian General Data Protection Law, Law n. 13.709 of 2018 (“LGPD).

1.6 “Data Subject” means, as applicable:

1.7 “Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws, including without limitation the right of access, right to rectification, right to restrict Processing, right to erasure, right to data portability, or right to object to the Processing.

1.8 “European Model Clauses” mean:

1.9 “Governmental Entity” means any federal, state, provincial, municipal, local or foreign government, governmental authority, regulatory or administrative agency, governmental commission, department, board, bureau, agency, instrumentality, court or tribunal, and includes a “Supervisory Authority” as defined in applicable Data Protection Laws.

1.10 “Personal Data” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to, a unique (as applicable) Data Subject, computing device, or household, and shall include, but is not limited to, all “personal data”, “personal information”, or similar terms, as defined in applicable Data Protection Laws.

1.11 “Process” or “Processing” means any operation or set of operations that is performed on Paramount Data, whether or not by automated means, such as collection, using, accessing, recording, reproducing, organization, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, evaluation or control, modification, blocking, restriction, erasure or destruction, or classification, and including all “processing” as defined in applicable Data Protection Laws.

1.12 “Restricted Transfer” means a transfer (either directly or via onward transfer) of Personal Data by a Party acting as an exporter to an importer located in a jurisdiction that has not been recognized by the Data Protection Laws applicable to the exporter as offering an adequate level of protection for Personal Data.

1.13 “Sale of Data” means:

1.14 “Security Incident” means:

1.15 “Subcontractor” means another data processor (as defined by Data Protection Laws) engaged by Vendor for carrying out Processing activities in respect of the Paramount Data on behalf of Paramount.

1.16 “Paramount Data” means any and all data or information, in any form, format or media, provided or otherwise accessed by or made available to Vendor or any of its employees, agents or contractors or by any other party in connection with or incidental to the Agreement, as well as all data and works obtained, developed or produced by Vendor in connection with the Agreement including derivatives, aggregations or analysis of any of the foregoing.

1.17 “Paramount Privacy and Information Security Requirements” means Paramount global information securities policies and privacy requirements applicable to Vendor as set forth in section 4 below, as may be supplemented or amended in the Agreement.

1.18 “Paramount Personal Data” means Paramount Data that constitutes Personal Data.

1.19 The terms “Business”, “Controller”, “Operator”, “Processor”, “Service Provider”, and “Special Categories of Personal Data” as used in this DPA will have the meanings ascribed to them in applicable Data Protection Laws. With respect to “Special Categories of Personal Data,” this term shall also include “sensitive personal information” or similarly defined terms in applicable Data Protection Laws and Personal Data collected from a “child” as defined under applicable Data Protection Laws.


2.1 As part of the Services described in the Agreement, Vendor may Process Paramount Data.

2.2 The Parties acknowledge and agree that with regard to the Processing of Paramount Personal Data of Data Subjects Paramount shall be the Controller and Vendor shall be the Processor of Personal Data Processed by Vendor under the Agreement.

2.3 For purposes of US Privacy Laws, Paramount shall be considered a Business or Controller and Vendor shall be a Service Provider or Processor (as such terms are defined in the applicable US Privacy Laws). Vendor certifies that Vendor understands the obligations imposed on it by this DPA and will comply with such obligations.

2.4 The subject matter of the Processing undertaken by Vendor is the provision of the Services and the Processing will be carried out for the duration of the Agreement. The Services, categories of Data Subjects, categories of Personal Data, and any specific instructions are set forth in the Agreement.

2.5 Except as expressly provided in the Agreement, Vendor acknowledges that, as between Vendor and Paramount, Paramount owns all right, title and interest in the Paramount Data.


3.1 When Vendor or a Subcontractor Processes Personal Data under the Agreement for or on behalf of Paramount, Vendor represents, warrants, and covenants both for itself and on behalf of each such Subcontractor, that it shall:

3.2 Vendor shall promptly notify Paramount of any determination (made by Vendor or by a Subcontractor) that it can no longer meet its obligations under this DPA, the Agreement, or Data Protection Laws.


4.1 General Security Requirement. Vendor shall maintain physical, administrative, and technical safeguards consistent with industry-accepted best practices (including the International Organization for Standardization’s standards ISO 27001 and 27002, the National Institute of Standards and Technology (NIST) 800-53 Cybersecurity Framework, the Cloud Security Alliance, or other similar industry standards for information security) to protect the confidentiality, integrity, and availability of Paramount Data and systems. Vendor shall maintain industry-leading standards in evolving technical controls to ensure the protection of Paramount Data, including, without limitation, firewalls, encryption technologies, anti-virus software, access and authentication, security monitoring, and security alerting systems.

4.2 Specific Safeguard Requirements. Vendor shall maintain an information security program (the “Information and Security Program”), which will include, at a minimum, the following safeguards and controls:

4.3 Compliance. Vendor shall make available to Paramount all information necessary to demonstrate compliance with its Information and Security Program, the Paramount Information Security Requirements, this DPA, the Agreement and Data Protection Laws, including:

4.4 Risk Assessment. Vendor agrees to participate in an annual risk assessment conducted by Paramount or its designee and to provide to Paramount (or its designee) any supporting documentation required during the risk assessment process, such as but not limited to, information security policies, standards, procedures, and if available, SOC2- Type1/Type2 reports, ISO27001/27002. Vendor shall also remediate any findings or deficiencies identified during Paramount’ risk assessments within a reasonable timeframe.

4.5 Software Security. If software is provided as a deliverable or as part of the service provided under the Agreement, Vendor shall have its software reviewed for security vulnerabilities by an independent third party that specializes in application security and provide Paramount the results of such review or, if Vendor has not performed such review, Vendor hereby consents to allow Paramount to commission such review by a third party at Paramount’s cost. Vendor shall reasonably cooperate with such review. Vendor shall promptly remediate security vulnerabilities identified and shall repeat the review for updates or new versions.

4.6 Background Checks. Paramount may require that Vendor representatives be subject to a lawful background check. Vendor shall cooperate with Paramount in connection with obtaining any necessary written consents in connection with any such background checks.

4.7 PCI DSS requirements. If, in the course of its Processing Paramount Data, Vendor has access to or will Process credit, debit, or other payment cardholder information, Vendor shall at all times remain in compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) requirements (in addition to in addition to other Security Requirements), and shall remain aware at all times of changes to the PCI DSS and promptly implement all procedures and practices necessary to remain in compliance with the PCI DSS.

4.8 If Vendor receives a request for access to Paramount Data from a Governmental Entity, Vendor shall promptly notify Paramount in advance of any such disclosure, and shall cooperate with Paramount in objecting to the request to the full extent permitted by law. If Vendor is prohibited from notifying Paramount of such request by applicable law, then Vendor shall engage legal counsel to take reasonable measure to object to such disclosure. In case of any disclosure, Vendor shall disclose only the minimum Paramount Data necessary to comply with the request.


5.1 Detection and Response. Vendor will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to

5.2 Notice of Security Incident. If Vendor becomes aware of a Security Incident, or information that should reasonably lead Vendor to suspect a Security Incident has occurred, Vendor shall notify Paramount without undue delay (and in any event within 24 hours), and on an ongoing basis provide the following information as soon as possible:

5.3 Remediation Efforts. Following any Security Incident, Vendor shall consult in good faith with Paramount regarding remediation efforts that may be necessary, appropriate, and reasonable (“Remediation Efforts”). Vendor shall:

5.4 Breach notification. Unless prohibited by applicable law, Paramount has the right to control the breach notification process, and Vendor shall not release or publish any filings, communication, notice or notification, press release, or report about the Security Incident without written authorization from Paramount.

5.5 Reimbursement. Without limiting Paramount’s other rights, Vendor shall reimburse Paramount for all costs and expenses of Remediation Efforts and regulatory fines incurred by Paramount as a result of any Security Incident related to Paramount Data while under the control or possession of Vendor.

5.6 Cooperation. Vendor shall provide all assistance to Paramount as is reasonably necessary for Paramount to meet its obligations under Data Protection Laws.


6.1 Vendor shall not disclose, enable Processing of, or otherwise make accessible any Paramount Data to any Subcontractor unless expressly authorised by Paramount.

6.2 Paramount authorises the entities contained in the applicable exhibit or annex to or the link contained in the Agreement to be engaged by Vendor as Subcontractors.

6.3 Vendor may appoint a new Subcontractor at any time provided that:

6.4 If there is no objection from Paramount, Vendor may engage the Subcontractor and will update the list of approved Subcontractors. If Paramount objects to the use of this Subcontractor, Vendor will use reasonable efforts to, within 30 days of receiving the objection, either find an alternative Subcontractor or suggest a change to the Services to avoid using the Subcontractor Paramount objects to. If Paramount, in its sole discretion, is not satisfied with Vendor’s proposed solution, Paramount may terminate the Agreement or any applicable statement of work, work order, or similar transaction document, in whole or in part upon written notice with no further expenses, costs, or liabilities.

6.5 Notwithstanding anything to the contrary herein, Vendor shall:

6.6 Vendor shall ensure that each Subcontractor that Processes or otherwise accesses Paramount Data:

6.7 Vendor shall ensure that all Vendor or Subcontractor personnel engaged in Processing of Paramount Data:


7.1 The Parties acknowledge that the provision of the Services under the Agreement may involve a Restricted Transfer. Notwithstanding the generality of the foregoing, the Parties agree to the following with respect to a Restricted Transfer:

7.2 Vendor represents and warrants that neither Vendor nor, to Vendor’s knowledge, any of its Subcontractors, have received a request from any Governmental Entity for access to European Personal Data Processed by such Vendor or Subcontractor in connection with the Services or substantially similar services for other clients. Vendor covenants to notify Paramount immediately and in writing in the event that, in Vendor’s opinion:

7.3 If any additional Data Protection Laws become effective during the Agreement which involve Restricted Transfers not contemplated herein, the Parties agree to meet in good faith to complete any formalities and enter into any documents as may be required by such Data Protection Laws.


8.1 Without limiting any obligation in the Agreement, and subject to Vendor’s retention obligations under applicable laws, rules and regulations, including Data Protection Laws, Vendor shall, and shall cause its Subcontractors to, immediately, securely destroy (by making unreadable, un-reconstructable, and indecipherable) any or all Paramount Data (including, without limitation, all electronic copies on hard drives, backup media, portable devices, optical, magnetic, or other storage media, as well as hard copies) upon the earlier to occur of the following:

8.2 Vendor shall promptly provide Paramount with a certification by an officer of Vendor that all Paramount Data has been removed from Vendor’s and any Subcontractor’s possession and/or control. If Vendor is required to retain Paramount Data pursuant to applicable laws, rules and regulations, including Data Protection Laws, Vendor shall inform Paramount of such requirement.

8.3 If Paramount notifies Vendor in writing that particular Paramount Data may be Paramount attorney-client communication or attorney work-product, then Vendor shall:

8.4 If Vendor is required by law or by interrogatories, written requests for information or documents by a Governmental Entity, subpoena, civil investigative demand or similar legal process to disclose any Paramount Data that may be within Paramount attorney-client or work-product privileges, then Vendor must provide (unless prohibited by applicable law) Paramount with prompt, written notice of such request or requirement so that Paramount may at its own expense seek an appropriate protective order or object to the requested disclosure.

8.5 Vendor shall comply with Paramount requirements regarding the preservation and production of Paramount Data held by Vendor that is relevant for legal and regulatory proceedings or investigations.

8.6 To the extent that Vendor is required to retain Paramount Data, this DPA and the Agreement will continue to apply in their entirety to such Paramount Data and Vendor’s Processing thereof.


9.1 As an additional indemnification obligation under the applicable provision of the Agreement, Vendor will defend, indemnify and hold Paramount, its Affiliates, and their respective officers, directors, employees and agents, harmless from and against any and all claims, suits, causes of action, fines and penalties, liability, loss, costs and damages, including reasonable attorney fees, arising out of or relating to any third-party claim arising from:

9.2 Notwithstanding any terms of the Agreement to the contrary, any limitation of liability with respect to indemnification set forth in the Agreement shall not apply to the indemnification obligations set forth above.


10.1 Survival. Vendor’s data protection and privacy obligations in the Agreement, including its obligations under this DPA, shall continue for so long as Vendor, or any of Vendor’s Subcontractors, continues to Process Paramount Data on behalf of Paramount, even if the Agreement has expired or been terminated.

10.2 Changes to the DPA. In addition to any rights under the Agreement, Paramount may modify this DPA at any time, including to the extent required to comply with Data Protection Laws, a court order or guidance issued by a Governmental Entity, by posting an updated version of this DPA at or successor website.