Data Policy

NYIAX DATA PROCESSING ADDENDUM Effective Date: May 28, 2018.

This Data Processing Addendum (“DPA”) forms part of the NYIAX Agreement, NYIAX Master Service Agreement, or other written or electronic agreement (the “Agreement”) between NYIAX, Inc. and its and Customer for use of the NYIAX products and services (the “NYIAX Products and Services”). By continuing to access and use the NYIAX Products and Services after the Effective Date, the Customer accepts and agrees to be bound by, the terms of this DPA, on behalf of itself and its Affiliates. The term of this DPA shall commence on August 24, 2021, and end on the date that NYIAX ceases to process Personal Data on behalf of the Customer.

Definitions:

“Customer” shall have the meaning set forth in the Agreement.

“Customer Personal Data” means Customer Data that is also Personal Data.

“Controller” means the entity that determines the purposes and means of the processing of Personal Data.

“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data under this Agreement, including those of the European Union, the European Economic Area, Switzerland, and the United Kingdom.

“Data Subject Tool” means any tool made available by NYIAX directly to data subjects that enables NYIAX to respond in an automated fashion to certain requests from data subjects regarding Personal Data.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” means information relating to an identified or identifiable natural person. NYIAX.COM

“Personal Data Incident” means a breach of NYIAX’s security systems that results in the accidental, unlawful, or unauthorized destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. A Personal Data Incident does not include activities that do not compromise the security of Customer Personal Data including unsuccessful log-in attempts, denial of service attacks, and other mitigated attacks on networked systems.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available. Data Processing Roles of the Parties. The parties agree that with regard to the Processing of Customer Personal Data under the Agreement, the Customer is the Controller and NYIAX is the Processor. Each party will comply with the obligations applicable to it under the Data Protection Laws and Regulations with respect to the Processing of Personal Data. Customer’s Processing of Personal Data. Customer shall, in its use of the NYIAX Products and Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Customer shall have sole responsibility for establishing the lawful means by which Customer acquires and uses Personal Data. NYIAX as Processor. NYIAX shall only process Customer Personal Data on behalf of, and at the direction of, the Customer. NYIAX as Controller. NYIAX may also be an independent Controller for some Personal Data relating to you, your employees, or partners. Please see Schedule 1 for details about this Personal Data which we control.

When we process Personal Data as a Controller, you acknowledge and confirm that the Agreement does not create a joint Controller relationship between you and us. Purposes of Processing. NYIAX shall only Process Personal Data in accordance with (i) the Customer’s written instructions, (ii) the terms of the Agreement, and (iii) any applicable Order Forms and/or Statements of Work.

NYIAX shall have a right to Process certain categories of Personal Data on behalf of the Customer for certain defined purposes, as more expressly set forth in Schedule 1. NYIAX.COM Rights of Data Subjects. If a data subject requests information from NYIAX via a Data Subject Tool about the processing of Personal Data, then NYIAX will automatically respond to such request in accordance with the standard functionality of the Data Subject Tool. If the request is not made via the Data Subject Tool and/or the Data Subject Tool is not able to respond to such request in an automated fashion, then NYIAX shall provide reasonable assistance to Customer in responding to written information requests from data subjects, solely to the extent permitted by law and technical limitations. The Data Subject Tool can be found at www.NYIAX.com/privacy-policy/ Customer acknowledges that NYIAX may not be able to verify the personal identity of an individual Data Subject in order to respond to a subject access request. Requests for assistance may be sent to PRIVACY@NYIAX.COM.

Technical and Security Safeguards.

Systems. NYIAX shall maintain appropriate technical and organizational policies, procedures, and safeguards for protection of Customer Personal Data, including protection against unauthorized Processing, and against destruction, loss, alteration, damage, or unauthorized disclosure of or access to, Customer Personal Data. A summary of NYIAX’s technical and organizational policies is attached here as Schedule 2. Confidentiality. NYIAX shall ensure that all personnel responsible for Processing Customer Personal Data enter into customary confidentiality agreements, which shall govern the access, use, and treatment of Customer Personal Data by NYIAX.

Access by NYIAX Employees.

NYIAX shall use commercially reasonable efforts to limit access to Customer Personal Data to those individuals that require access to Customer Personal Data in order to provide the NYIAX Products and Services to Customer.

Personal Data Incident Notifications. NYIAX shall maintain Personal Data Incident management policies and procedures and shall, as soon as reasonably practicable and in accordance with the timelines required by the Data Protection Laws and Regulations, notify Customer of any Personal Data Incidents that result in the unauthorized or illegal destruction, loss, alteration, disclosure of, or access to, Customer Personal Data that is stored or Processed by NYIAX.

NYIAX will take prompt action to mitigate any harm to Customer and/or Customer’s Personal Data. NYIAX.COM Removal and Deletion of Customer Data. Upon the request of Customer and/or at the conclusion of the Agreement Term, NYIAX shall, to the extent feasible considering the functionality of the NYIAX Products and Services, delete Customer Personal Data from its systems, as soon as reasonably practicable, or as stipulated within the Customer specific Agreement with NYIAX, but no later than one hundred eighty (180) days of Customer’s request. The request must be in writing not through the Data Subject Tool via corporate verifiable email and Customer authorization citing the Agreement and representatives who are signatories to the Agreement.

Data Protection Officer:

NYIAX has appointed a Data Protection Officer (“DPO”) that is responsible for assisting with compliance obligations for Europe. The DPO may be reached at privacy@NYIAX.com.

Sub-Processors. Customer acknowledges and agrees that NYIAX may engage Sub-Processors to assist with the hosting and storage of Customer Personal Data. NYIAX shall use commercially reasonable efforts to enter into a written agreement with each Sub Processor that contains data protection obligations no less protective than those in the DPA. Current Sub-Processors are identified in Schedule 3.

NYIAX.COM SCHEDULE 1

Description of Personal Data and Processing Activity Types of Personal Data NYIAX as Controller

● Contact details such as your name, address, telephone number, and email address (as provided by you).

● Details regarding the transactions you undertake or authorize using our Products and Services. NYIAX as Processor on behalf of Customer, NYIAX may process the following types of Personal Data:

● Web browsing information

● Mobile application usage information

Nature and Purpose of Processing NYIAX will Process Personal Data as necessary to provide the NYIAX Products and Services to Customer NYIAX Processes Personal Data, as instructed by Customer for the following purposes:

● Campaign analytics and insights

● ID syncing

● Market research Special Categories of Data At the request and direction of Customer, NYIAX may Process special categories of data

SCHEDULE 2

Technical and Security Safeguards Data Transmission

All customer interactions with the NYIAX Products and Services are encrypted in transit with Secure Sockets Layer (SSL) technology using industry-standard encryption practices.

Application Security

All user access to the NYIAX Products and Services is protected by granular user privileges, including distinct read/write privileges. These privileges are packaged into reusable and customizable roles. Individual users are granted any number of roles, thus providing the capability to control specific responsibilities and access levels within a customer’s organization.

Development Practices

NYIAX utilizes industry-standard source code management systems to manage the introduction of new code into the product suite. Access to the code repositories is granted on an as-required basis only to employees within the Technology and Engineering organizations.

Hosting Infrastructure

NYIAX infrastructure is hosted in a combination of Amazon Web Services (AWS). AWS is a top-tier hosting provider with hardened and redundant facilities management practices. NYIAX does not maintain any physical access to the AWS, and remote access is restricted to named operations staff on as required basis. They provide a fully redundant and fault-tolerant infrastructure, including on-site power generation in the event of the failure of a public utility. The NYIAX footprint within the facilities is itself internally fault-tolerant and fully redundant at the hardware, software, and connectivity layers.

NYIAX.COM Configuration Management

NYIAX utilizes automated configuration management tools to manage application runtimes and configuration parameters across our infrastructure, with access restricted to staff that supports releases and operations. Within the configuration management information architecture, credentials used by automated systems (e.g., database logins) are isolated from general application configuration parameters to further limit access to such credentials.

SCHEDULE 3

Sub-processors

Amazon Web Services, Inc.

Third-party cloud hosting provider for the NYIAX Products and Services.

Zendesk, Inc

Third-party application for managing user support requests

Google Ad Manager

Third-party SAS platform designed to manage the process of delivering ads to your websites, mobile devices, games, etc.

NASDAQ-OMX

Third-party SAS platform designed to manage buying, selling, and trading of contract details and compliance with no personally identifiable information level data.

NYIAX, Inc. c/o Privacy
244 5th Avenue, STE 2669, NYC, NY 10001 USA.