Data Processing Addendum

Last updated: March 10, 2026

This Data Processing Addendum (“DPA”) is incorporated into the agreement(s) between the applicable Broadsign entity (as defined below) and Customer (the “Agreement”) for the provision of Broadsign’s services, products, and technology solutions (collectively, the “Services”). By accepting the Agreement, Customer agrees to this DPA. Capitalized terms are defined in Section 2 below; terms not defined in this DPA have the meanings given in the Agreement. This DPA governs Broadsign’s Processing of Personal Data in connection with the Services. If there is a conflict between this DPA and the Agreement, this DPA prevails solely with respect to the Processing of Personal Data.

1. Background

The following sections apply only when Broadsign is acting as the Processor or Subprocessor of Personal Data: (i) Section 1(a) (Duties as a Processor); (ii) Section 5 (Data Processing); (iii) Section 6 (Allocation of Responsibility); (iv) Section 7 (Engaging of Subprocessors); (v) Section 8 (a)(ii)-(viii), (b), (c) and (d) (International Transfers); (vi) Section 9 (Data Security, Audits and Security Notifications); (vii) Section 11(Data Protection Impact Assessment and Prior Consultation); and (viii) Section 12 (Termination).

The following sections apply only when Broadsign is the Controller of Personal Data: (i) Section 1(b) (Duties as a Controller); and (ii) Section 8(a)(i) (International Transfers).

• Duties as a Processor: When providing the Services to the Customer, Broadsign will act as the Processor or Subprocessor of Personal Data, and Broadsign undertakes to Process Personal Data on behalf of the Customer in accordance with the Agreement, this DPA and the documented instructions of the Customer, including Annex 1 attached hereto. The Processing will be performed exclusively within the framework of the Agreement or as otherwise required by applicable law. Except as required by applicable law, Broadsign shall not use the Personal Data for any purpose other than as specified in the Agreement and this DPA. The Customer will inform Broadsign of any such purposes which may be prohibited by Data Privacy Laws (as applicable to each law). All Personal Data that is Processed on behalf of the Customer shall remain the property of the Customer and/or the applicable Data Subjects.
• Duties as a Controller: When Broadsign Processes Personal Data subject to Data Privacy Laws (as applicable to each law) for business operations incident to providing the Services to the Customer (for example, to create de-identified data sets or to communicate with the Customer about Broadsign products and services in which the Customer may be interested), Broadsign will act as a Controller of Personal Data, as specified in greater detail below in Section 4(b) of this DPA.

2. Applicability of this DPA

• Customer. This DPA applies solely to the Customer entity that has accepted the Agreement. Any Customer affiliate or related entity that has not accepted the Agreement has no rights under this DPA and must request that the applicable Customer entity accept this DPA on its behalf.
• Broadsign. Only the specific Broadsign entity identified in Annex 3 that is a party to the Agreement is bound by this DPA. No other Broadsign entity has any obligation or liability under this DPA.

3. Definitions

• Affiliate means, in addition to any definition of “Affiliate” or an equivalent term set forth in the Agreement, any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
• Agreement means one or more mutually-executed Agreements, Order Forms, Insertion Orders or other ordering document(s) under the Agreement.
• Controller shall mean (i) a “controller” as that term is defined by the GDPR, (ii) a “business” as that term is defined by the CCPA, and/or (iii) any equivalent term under other Data Privacy Laws.
• Data Privacy Laws means any and all laws, regulations, directives, ordinances and decrees relating to privacy or data protection that are applicable to a party’s business activities and geographic territory, including, but not limited to (as applicable) (i) the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”), as well as any applicable national implementing legislation; (ii) the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the Swiss Federal Data Protection Act (“Swiss Data Protection Act”); (iv) United States state privacy and data protection laws, including the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”); (v) the Canada Personal Information Protection and Electronic Documents Act (“PIPEDA”); (vi) the Japan Act on the Protection of Personal Information (“APPI”); (vii) the Brazil General Data Protection Law (“LGPD”); and (viii) any other applicable present or future state law or regulation that relates to data privacy, data security, or the use or other processing of Personal Data (as defined below), together with all implementing regulations and as any of the foregoing may be amended, updated, supplemented, or replaced from time to time.
• Data Subject has the meaning given in the GDPR, and shall also include “consumers” as defined by the CCPA, as well as other equivalent terms under Data Privacy Laws.
• Broadsign means the Broadsign entity which is a party to this DPA, as specified in Annex 3. “Broadsign” may include, but is not limited to, any of the entities listed in Annex 3 attached hereto.
• Broadsign Group means Broadsign and its Affiliates engaged in the Processing of Personal Data.
• Personal Data means (i) “personal data” as defined in the GDPR, (ii) “personal information” as defined in the CCPA, and/or (iii) any equivalent term as defined in Data Privacy Laws, all as further described in Annex 1 to this DPA, that, in each case, Broadsign collects from the Customer or that the Customer submits to the Services.
• Processing, Process or Processes has the meaning given in the GDPR or the equivalent term under other Data Privacy Laws, as applicable.
• Processor means the entity which Processes Personal Data on behalf of the Controller, including, as applicable, (i) a “processor” as that term is defined by the GDPR, (ii) a “service provider” as that term is defined by the CCPA, and/or (iii) any equivalent term under other Data Privacy Laws.
• Security Incident means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data.
• Subprocessor means any Processor engaged by Broadsign or a member of the Broadsign Group or, as applicable, Broadsign when it Processes Personal Data on behalf of another Processor.
• Supervisory Authority has the meaning given in the GDPR or the equivalent term under other Data Privacy Laws, as applicable. Without limiting the foregoing, Supervisory Authority includes the California Privacy Protection Agency.

4. Processor and Controller Roles and Responsibilities

• The Customer and Broadsign agree that the Customer is the Controller of Personal Data and Broadsign is the Processor of such Personal Data, except (a) when the Customer acts as a Processor of Personal Data, in which case Broadsign is a Subprocessor; or (b) as stated otherwise in the Agreement or this DPA. When Broadsign acts as the Processor or Subprocessor of Personal Data, it will Process Personal Data only on documented instructions from the Customer. In any instance where Data Privacy Laws apply and the Customer is a Processor, the Customer warrants to Broadsign that the Customer’s instructions, including appointment of Broadsign as a Processor or Subprocessor, have been authorized by the relevant Controller.
• To the extent Broadsign uses or otherwise Processes Personal Data subject to Data Privacy Laws (as applicable to each law) for business operations incident to providing the Services to the Customer, Broadsign will comply with the obligations of a Controller or Business under Data Privacy Laws (as applicable to each law) for such use. Without limiting Broadsign’s obligations as a Controller under other applicable Data Privacy Laws, Broadsign is accepting the added responsibilities of a Controller under GDPR for such Processing to: (a) act consistent with regulatory requirements, to the extent required under GDPR; and (b) provide increased transparency to the Customer and confirm Broadsign’s accountability for such Processing. Broadsign employs safeguards to protect Personal Data in such Processing, including those identified in this DPA and those contemplated in Article 6(4) of the GDPR.
• For Controller processing under this Section 4(b), Broadsign relies on its legitimate interests under GDPR Article 6(1)(f) and equivalent provisions under other Data Privacy Laws. Broadsign’s legitimate interests include, but are not limited to, fraud prevention, security monitoring, service improvement, product development, analytics, account management, customer support, and marketing Broadsign’s products and services to existing customers. Broadsign has assessed that its legitimate interests are not overridden by the interests or fundamental rights and freedoms of Data Subjects. Where applicable law requires specific consent (such as for direct marketing under ePrivacy laws), Broadsign will obtain such consent.

5. Data Processing

• Instructions for Data Processing. Broadsign will only Process Personal Data in accordance with the Customer’s written instructions. Except as may be otherwise required by Data Privacy Laws, the Agreement(s), including all addendums thereto, , and this DPA shall be the Customer’s sole, complete, and final instructions to Broadsign in relation to the Processing of Personal Data. To the extent applicable Data Privacy Laws permit the Customer to provide supplemental Processing instructions to Broadsign, Broadsign reserves the right to make corresponding reasonable adjustments to its fee schedule and/or to charge reasonable administrative fees commensurate with the costs of any new required Processing activities.
• Processing of Personal Data outside the scope of this DPA or the Agreement will require prior express written agreement between Broadsign and the Customer, setting forth additional instructions for such Processing. Without limiting the foregoing, Broadsign agrees that it will not “sell” Personal Data within the meaning of applicable Data Privacy Laws, or “share” Personal Data within the meaning of CCPA. Where required by Data Privacy Laws, Broadsign also will not combine Personal Data with other Personal Data it receives from or on behalf of others or in its own capacity, except as permitted by such Data Privacy Laws.
• Duration of Data Processing. This DPA is entered into for the duration set out in the Agreement, and the duration of Processing shall be the period during which Services are provided under the Agreement, together with any data retention period permitted by the Agreement or this DPA.
• Lawful Basis. The Customer hereby represents and warrants to Broadsign that the Customer has obtained all necessary consents, or established an alternative lawful basis or bases, for the Processing of Personal Data by Broadsign in accordance with the Agreement. The Customer will furnish reasonable documentation evidencing the lawful basis or bases for Broadsign’s Processing as may be reasonably requested by Broadsign from time to time.
• Special Categories of Personal Data. The Customer hereby represents and warrants to Broadsign that the Customer will not, without Broadsign’s prior written consent, provide Broadsign with any “special categories” data, as defined in GDPR, or any sensitive Personal Data or any equivalent term) (each as defined in any applicable Data Privacy Laws).
• Records of Processing Activities. To the extent required by applicable Data Privacy Laws, Broadsign will use reasonable efforts to maintain records of processing activities carried out on behalf of Customer. Broadsign shall disclose such records only when required by applicable law or upon request by a Supervisory Authority.
• CCPA Service Provider Certification. To the extent the CCPA applies to Personal Data Processed by Broadsign, Broadsign certifies that it will Process such Personal Data solely for the Business Purpose of providing the Services under the Agreement. Broadsign will not sell or share such Personal Data and will not retain, use, or disclose such Personal Data outside the direct business relationship with Customer, except as permitted under the CCPA for service providers, including for Broadsign’s internal use, service improvement, detecting security incidents, debugging, and system maintenance. Broadsign will not combine Personal Data with personal information received from other sources, except as permitted by the CCPA. For purposes of this subsection, “Business Purpose” has the meaning set forth in the CCPA.

6. Allocation of Responsibility

• The Customer represents and warrants that (i) it shall comply with all Data Privacy Laws, (ii) it has a documented valid legal basis for the Processing of all Personal Data Processed by Broadsign and will provide reasonable evidence of such valid legal basis to Broadsign upon request, and (iii) the Processing of all Personal Data in accordance with this DPA and the Agreement is not unlawful and does not violate any rights of a third party.
• The Customer shall indemnify, defend, and hold harmless Broadsign and its Affiliates, and its and their respective managers, directors, officers, employees and representatives from and against all out-of-pocket costs, expenses, fines, fees (including reasonable attorneys’ fees) arising from all third-party claims, demands, or proceedings arising from or related to Customer’s actual or alleged failure to comply with Section 5(d) of this DPA.

7. Engaging of Subprocessors

• Authorized Subprocessors. The Customer hereby consents and agrees to Broadsign’s engagement of Subprocessors to Process Personal Data, including, without limitation, Broadsign’s engagement of the Subprocessors listed within Annex 4.
• Broadsign shall notify the Customer from time to time of the identity of any new Subprocessors engaged by Broadsign following the Effective Date. Such notice may be provided by Broadsign via email or by providing the Customer with a link to a webpage containing updated information regarding Broadsign’s Subprocessors. If the Customer (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Personal Data only, then without prejudice to any right to terminate the Agreement, the Customer may request that Broadsign move the Personal Data to another Subprocessor and Broadsign shall, if possible within a reasonable time following receipt of such request, use reasonable measures to accommodate such request. If it is not reasonably possible to use another Subprocessor, and the Customer continues to object for a legitimate reason relating to protection of Personal Data, either party may, as its sole and exclusive remedy, terminate only those Services which cannot be provided by Broadsign without the use of the objected-to new Subprocessor on thirty (30) days’ written notice without additional liability to the other party. If the Customer does not object in writing within thirty (30) days of the date of Broadsign’s notice, the Customer will be deemed to have accepted the new Subprocessor.
• Liability of Subprocessors. Broadsign will be liable to the Customer for the acts and omissions of any Subprocessor with respect to the Processing of Personal Data to the same nature and extent that Broadsign is liable to the Customer for its own acts and omissions hereunder and under the Agreement.

8. International Transfers

• Standard Contractual Clauses. Where adequate safeguards are required under GDPR with respect to the transfer of Personal Data to Broadsign in a third country, the most recent standard contractual clauses for the transfer of Personal Data to third countries (module two – transfer controller to processor), as approved by the European Commission (collectively, the “SCCs”) shall be deemed to be adopted and incorporated into this DPA as the basis for any such international transfers contemplated under this Section 8(a), and shall be completed as follows: (i) Module One (controller to controller transfers) shall apply when Broadsign is the Controller of Personal Data; (ii) Module Two (controller to processor transfers) shall apply when Broadsign acts as the Processor of Personal Data; (iii) Module Three (processor to processor transfers) shall apply when Broadsign is the Subprocessor of Personal Data and the Customer is the Processor of Personal Data; (iv) in Clause 7, the optional docketing clause will apply; (v) in Module Two (controller to processor transfers) and Module Three (processor to processor transfers), Clause 9, the Option 2 (General Written Authorisation) will apply, and the time period for prior notice of new Subprocessors shall be as set forth in Section 7(a) of this DPA; (vi) in Clause 11, the optional language will not apply; (vii) in Clause 17, Option 1 will apply, and the SCCs will be governed by Irish law; in Clause 18(b), disputes shall be resolved before the courts of Ireland; and (viii) Annex 1 and Annex 2 of the SCCs shall be deemed completed with the information set forth in Annex 1 and Annex 2 to this DPA.
• Swiss Data Protection Act. Where adequate safeguards are required under the Swiss Data Protection Act with respect to the transfer of Personal Data to Broadsign in a third country, the SCCs shall apply, with the following modifications: (a) any references in the SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to FADP; (b) references to "EU", "Union", "Member State" and "Member State law" shall be interpreted as references to Switzerland and Swiss law, as the case may be; and (c) references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland.
• UK Addendum. Where adequate safeguards are required under UK GDPR with respect to the transfer of Personal Data to Broadsign in a third country, the SCCs, along with the International Transfer Addendum or Addendum to the SCCs for international data transfers issued under Section 119A of the Data Protection Act 2018 and approved by UK Parliament on 21 March 2022 (the “UK Addendum”), shall be deemed to be adopted and incorporated into this DPA as the basis for any such international transfers contemplated under this Section 8(b). The UK Addendum will be (i) governed by the laws of England and Wales, and (ii) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:
• (i) In Table 1 of the UK Addendum, Customer's and Broadsign's details and key contact information are set forth in Section A of Annex 1 of this DPA;
• (ii) In Table 2 of the UK Addendum, information about the version of the Approved EU SCCs, modules, and selected clauses, which the Addendum is appended to, are set forth in Section 8(a) (Standard Contractual Clauses) of this DPA;
• (iii) In Table 3 of the UK Addendum:
• (1) The list of Parties is set forth in Section A of Annex 1 of this DPA.
• (2) The description of the transfer is set forth in Section B of Annex 1 of this DPA.
• (3) Annex II is located in Annex 2 (Technical and Organizational Security Measures) of this DPA.
• (4) The list of Subprocessors is listed in Annex 4;
• (iv) In Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with the terms of the UK Addendum.
• Conflicts. In the event of any conflict between the terms of this DPA, on the one hand, and the SCCs or the UK Addendum, on the other hand, the SCCs or the UK Addendum (as applicable) shall control.

9. Data Security, Audits and Security Notifications

• Broadsign Security Obligations. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Broadsign will implement appropriate technical and organizational measures designed to ensure a level of security appropriate to such risk, including the measures set out in Annex 2.
• Upon the Customer’s reasonable request, Broadsign will disclose information reasonably necessary to demonstrate Broadsign’s compliance with this DPA.
• Security Incident Notification. If Broadsign becomes aware of a Security Incident affecting Personal Data in its possession or control, or receives notice of such Security Incident from one of its Subprocessors, Broadsign will (a) without undue delay notify the Customer of the Security Incident after becoming aware of such Security Incident, (b) investigate the Security Incident and, upon the Customer’s reasonable request, provide the Customer (and any law enforcement or regulatory official, as may be required) with reasonable assistance as may be required under Data Privacy Laws (as applicable to each law) to investigate and mitigate the effects of the Security Incident, and (c) promptly take steps necessary to remedy any non-compliance with this DPA. Except as may otherwise be required by applicable laws, the foregoing obligations described in this Section 9(c) shall constitute the Customer’s sole remedy, and Broadsign’s sole liability, in the event of any Security Incident.
• The Customer shall be responsible for complying with its obligations with respect to notice to Supervisory Authorities and communications to Data Subjects regarding a Security Incident under Data Privacy Laws (as applicable to each law). However, Broadsign shall provide reasonable assistance in accordance with Data Privacy Laws (as applicable to each law) in connection with such obligations.
• The Customer’s Employees and Personnel. Broadsign will treat the Personal Data as confidential, and shall ensure that any Broadsign employees or other personnel with access to the Personal Data have agreed in writing to protect the confidentiality and security of Personal Data.
• Audits. Broadsign will, upon the Customer’s reasonable advance written request, allow for and contribute to audits, including inspections, of those books and records reasonably necessary and relevant to verify Broadsign’s compliance with this DPA, conducted by the Customer (or a third party on the Customer’s behalf) provided that (i) Broadsign is given a minimum of thirty (30) days’ advance written notice of such audit, (ii) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (iii) are conducted only during Broadsign’s normal business hours; and (iv) are conducted in a manner that causes minimal disruption to Broadsign’s operations and business. The Customer agrees that all information, documents, and other materials collected during the course of any audits constitutes Confidential Information (as such term is defined in the Agreement) of Broadsign, and may not be used for any purpose other than to verify Broadsign’s compliance with this DPA. The Customer further agrees that audits under the SCCs and UK Addendum will be conducted in accordance with this Section 9(f).

10. Access Requests and Data Subject Rights

• Government Disclosure. Broadsign will promptly notify the Customer of any request for the disclosure of Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
• Data Subject Rights. The Customer shall ensure that the Data Subjects can avail themselves of their rights under applicable Data Privacy Laws, with the reasonable assistance of Broadsign as required by such Data Privacy Laws and as described in this Section 10(b). Where applicable, and taking into account the nature of the Processing, Broadsign will use reasonable endeavors to assist the Customer by implementing appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of the Customer’s obligation to respond to requests by Data Subjects to exercise their rights under applicable Data Privacy Laws. Where permitted by applicable Data Privacy Laws, as to requests by Data Subjects made directly to Broadsign relating to Personal Data in Broadsign’s possession, Broadsign will notify the Customer (email sufficing) and may inform the Data Subject that the request cannot be acted upon by Broadsign because the request has been sent to a Processor or service provider. The Customer shall ensure that it provides all necessary notices to Data Subjects and obtains all necessary consents from Data Subjects as required by Data Privacy Laws. The Customer shall assist Broadsign by promptly providing Broadsign with any requests from Data Subjects that apply to Broadsign’s Processing activities when Broadsign is the Controller of Personal Data.

11. Data Protection Impact Assessment and Prior Consultation

• To the extent required under applicable Data Privacy Laws, upon the Customer’s reasonable request, Broadsign will provide the Customer with reasonably relevant information to enable the Customer to carry out data protection impact assessments, transfer assessments, or prior consultations with any Supervisory Authority, in each case solely in relation to Broadsign’s Processing of Personal Data and taking into account the nature of the Processing and information available to Broadsign; provided, however, that where the Customer requests assistance of any type that (i) is unnecessary, (ii) is not required of a Processor under applicable Data Privacy Laws, or (iii) is highly burdensome or costly, Broadsign may charge a reasonable administrative fee as a condition to providing such assistance.

12. Termination

• Deletion of Data. Except as otherwise set forth in the Agreement, and subject to Section 12(b) below, Broadsign will, within ninety (90) days of the date of termination of the Agreement, or sooner if reasonably directed by the Customer: (i) delete and use all reasonable efforts to delete and/or procure the deletion of Personal Data Processed by Broadsign or any of its Subprocessors; or (ii) return a complete copy of all Personal Data by secure file transfer in a mutually-agreed method and format.
• Broadsign and its Subprocessors may retain Personal Data to the extent required by any applicable laws. Any retained Personal Data shall continue to be subject to this DPA.

13. Miscellaneous

• This DPA shall be governed by the laws of the jurisdiction specified in the Agreement. Venue for any dispute arising between the parties in connection with this DPA shall be in the courts of the jurisdiction specified in the Agreement.
• This DPA shall be construed to enable the parties to be compliant with the Data Privacy Laws (as applicable to each law).
• In the case of any conflict between the Agreement and this DPA, this DPA shall control with respect to the matter in conflict.
• Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” or equivalent provision of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA. For the avoidance of doubt, Broadsign’s and its Affiliates’ total liability for all claims from the Customer and all of its Affiliates arising out of or related to this DPA shall apply in the aggregate for all claims under both the Agreement and this DPA, including claims by the Customer and all of the Customer’s Affiliates, and, in particular, such limitations on liability shall not be deemed to apply individually and severally to the Customer and/or to any Customer Affiliate that is a party to this DPA. In the event that the Agreement does not contain a “Limitation of Liability” or equivalent provision, then in no event will Broadsign or its Affiliates be liable for (i) any indirect, punitive, incidental, special, consequential, or exemplary damages, including damages for loss of profits, data, goodwill, or other intangible losses, arising out of or relating to this DPA; or (ii) any other damages that exceed, in the aggregate for any and all claims, the total fees paid or payable by the Customer under the Agreement to which the claim relates in the twelve (12) month period preceding the latest such claim.
• Amendments. Broadsign may amend this DPA at any time: (i) immediately upon posting at broadsign.com/policies/data-processing-addendum/ when required by changes in Data Privacy Laws, regulatory guidance, or Supervisory Authority decisions; or (ii) with thirty (30) days’ notice when made for operational or business reasons. All amendments are effective as posted, regardless of whether Customer continues to use the Services. Customer’s sole remedy for any amendment is to terminate the Agreement in accordance with its terms.

ANNEX 1
Details of the Processing

A. List of the parties

Data Exporter (Customer):

• Name: As set forth in the Agreement
• Address: As set forth in the Agreement
• Contact: As set forth in the Agreement
• Role: Controller (or Processor, if applicable)

Data Importer (Broadsign):

• Name: The applicable Broadsign Entity as set forth in Schedule B
• Address: As set forth in Schedule B
• Contact: privacy@broadsign.com
• Role: Processor (or Subprocessor, if applicable)

B. Description of the transfer

Categories of data subjects whose personal data is transferred: The Personal Data being Processed concerns Customer’s officers, directors, executives, and other Customer employees, as well as individual contractors or clients of the Customer, who use or receive the Services or who are involved in the administration and management of the Agreement and the Customer’s relationship with Broadsign as it relates to the Services.

Categories of personal data transferred: The Personal Data being processed concerns names, e-mail addresses, physical addresses, Internet Protocol (IP) addresses, telephone numbers, job titles, organizational structures, and, if applicable, user credentials (such as user IDs or passwords) for the software- or technology-based Services.

Frequency of the transfer: Continuous during the term of the Agreement

Nature of the processing: The Personal Data will be subject to the following basic processing activities: collection; recording; organization; structuring; storage; adaptation; retrieval; consultation; access; use; disclosure by transmission, dissemination, or otherwise making available; alignment or combination; restriction; and/or erasure or destruction.

Purpose of the processing: The data importer provides Services to the data exporter in accordance with the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in Section 12 of the DPA.

For transfers to (sub) processors, also specify subject matter, nature and duration of the processing: As set forth in Section 7 of the DPA.

C. Competent Supervisory Authority

As set forth in Section 8(a) of the DPA.

ANNEX 2
Technical and Organizational Security Measures

Introduction

Broadsign maintains internal policies and procedures, and/or ensures that Broadsign’s Subprocessors do so, which are designed to:

• secure any Personal Data against accidental or unlawful loss, access or disclosure;
• identify reasonably foreseeable and internal risks to security and unauthorized access to the Personal Data;
• minimize security risks, including through risk assessment and regular testing.

Broadsign will conduct periodic reviews of the security of its network and the adequacy of its information security program as measured against security standards in Broadsign’s industry, and will use reasonable efforts to ensure that its Subprocessors do so as well. Broadsign will also perform due diligence on its Subprocessors to ensure they meet the required security standards

Broadsign will conduct regular assessments to evaluate the security and vulnerabilities of its data systems to determine whether additional or different security measures are required to mitigate risks or respond to new security risks or findings generated by the periodic reviews, and will use reasonable efforts to ensure that its Subprocessors do so as well. Broadsign will also periodically conduct internal audits to ensure compliance with GDPR and the DPA, with results shared for continuous improvement.

Data Minimization and Access controls

Only Personal Data necessary for the specified purposes is Processed. Access to Personal Data is restricted according to job responsibilities, with only authorized personnel permitted to Process it. Security layers will be employed to protect against unauthorized access to systems and Personal Data. These will include the principle of least privilege and the use of strong passwords in accordance with Broadsign’s information security policy. Additionally, strong authentication methods, such as two-factor authentication, are in place to restrict access to authorized individuals.

Availability and Back-up of Personal Data

Backup copies of Personal Data are created on a periodic basis to minimize risk and ensure the continued operation of the Services in the event of a man made or natural disaster. Backup copies will be encrypted both in transit and at rest. Backup copies will be treated as equally confidential and require equivalent security measures as applied to live Personal Data.

Disposal of IT Equipment

For Broadsign hardware, all computer equipment will be gathered from employees upon termination from Broadsign. Computer equipment will be wiped clean of data and re-purposed or destroyed such that data on the device is rendered unrecoverable. When hosted infrastructure is utilized, Broadsign will require the infrastructure provider to follow current industry standards in Broadsign’s industry for wiping clean equipment when Broadsign no longer uses that equipment, as well as when the infrastructure provider decommissions equipment.

Encryption and Anonymization

Encryption will be employed that meets or exceeds current industry standards in Broadsign’s industry. Personal Data is encrypted both in transit and at rest using industry-standard algorithms (e.g., AES-256). Personal Data can be anonymized or pseudonymized where applicable to reduce risks.

Data Integrity and Confidentiality

Mechanisms are implemented to ensure the accuracy and integrity of Personal Data, with regular checks performed. All employees, contractors, and third parties with access to Broadsign data are required to sign confidentiality agreements

Incident Response and Breach Notification

Broadsign has an incident response plan for identifying, reporting, and mitigating Security Incidents.

Monitoring and Logging

Continuous monitoring of systems and networks is conducted to detect potential security threats. Mechanisms are in place to log access attempts to Personal Data, with logs regularly reviewed for auditing purposes.

Device Hardening

Anti-virus and intrusion detection software will be employed on appropriate devices and maintained with current updates to ensure current industry standards in Broadsign’s industry are employed against security threats.

Data Retention and Deletion

Personal Data that is no longer needed is securely deleted to prevent recovery.

Physical Security

Broadsign’s physical office location will be secured and alarmed. The threat to the office location is minimized by the practices Broadsign utilizes to host all software and infrastructure with reputable vendors, as opposed to on-site. Infrastructure and software providers will be selected based on their functional capabilities as well as their organization security practices.

Staff Training and Awareness

Staff training will be conducted periodically, at least annually, to ensure staff remains up to date on security best practices. Training will be tracked and documented per Broadsign policy. Broadsign also conducts ongoing awareness campaigns to keep employees informed of emerging security risks and best practices.

ANNEX 3
Broadsign Entities

ANNEX 4
Subprocessors