CloudX Logo

Data Terms

Updated and Effective: March 4, 2026

These Data Terms (“Data Terms”) apply to the Services provided under the applicable Terms of Service or other service agreement between you (“Customer”) and Continental Expeditions Inc. d/b/a CloudX (“CloudX”) that incorporates these Data Terms (the “Agreement”). Capitalized Terms not defined in these Data Terms shall have the meaning set forth in the Agreement. You accept these Data Terms upon acceptance or execution of the applicable Agreement.

Definitions

In these Data Terms, these terms will have the following meanings: 

“CloudX Privacy Policy” means the then-current version of the CloudX’s Privacy Policy posted on cloudx.io/privacy.

“Controller” means a person that, either alone or with another person, determines the purposes and means of Processing Personal Data, and includes a “Business” as defined by CCPA.

“Data Incident” means any unauthorized destruction, loss, alteration, disclosure, acquisition or use of, or access to, Personal Data Processed under these Data Terms. 

“Data Protection Laws” means all state, federal, national, or international laws, rules, and regulations applicable to the processing of Personal Data under these Data Terms. Data Protection Laws may include, without limitation: Cal. Civ. Code §§ 1798.80 et seq., 1798.100 et seq. and its implementing regulations (“CCPA”) and any other US state consumer privacy laws; any laws, regulations, or rules implementing the foregoing, or implemented in European Union Member States thereunder, and any successor directives or regulations thereof then in effect, as well as the UK Data Protection Act 2018, the UK GDPR (as defined in the Data Protection Act 2018), the UK Privacy in Electronic Communications (EC Directive) Regulations 2003; and Swiss Data Protection Act 2020 (“European Data Protection Laws”); and any applicable requirements of the IAB and NAI and other self-regulatory organizations whose requirements are binding.

“Services” means the Provision of the Platform and Services as described in the Agreement and Annex I to these Data Terms.

“Personal Data” means: (i) any data that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Data Subject, including without limitation, all information defined as “Personal Information” or analogous definitions in applicable Data Protection Laws; and (ii) that is shared by a party with the other in connection with the Services.

The terms data subject”, “processing”, “processor”, and sensitive data” have the definitions set forth in applicable Data Protection Laws.

  1. GENERAL TERMS
    1. Scope. These Data Terms apply to all Services provided under the Agreement and for so long as CloudX provides Services to Customer, provided that these Data Terms will survive with respect to any Personal Data Processed by CloudX under the Agreement following the termination or expiration of the Agreement until such Personal Data has been deleted by CloudX in accordance with these Data Terms.
    2. Roles. The Parties acknowledge that with respect to all Services, CloudX and Customer shall be considered independent Controllers with respect to the Processing of Personal Data. Each Party will determine the purposes and means of processing Personal Data in connection with the Party’s provision or use of the Services. The foregoing shall not permit processing that violates any express limitations on a Party’s right to process Personal Data or Customer Personal Data under the Agreement or these Data Terms.
    3. Compliance. Each Party will comply with all applicable Data Protection Laws, as well as all other laws, rules and regulations applicable to the Party’s Processing of Personal Data in connection with the Services. Customer will notify CloudX if it believes it can no longer comply with applicable Data Protection Laws. 
    4. CCPA. To the extent CCPA applies: (i) Personal Data is processed by CloudX for the purposes described on Annex I and as further the CloudX Privacy Policy and documentation; (ii) each party will comply with the CCPA, including by providing the same level of privacy protection as required of “Businesses” under the CCPA; (iii) Customer may take reasonable and appropriate steps to ensure that CloudX processes Personal Data in a manner consistent with Customer’s obligations under the CCPA, to the extent made known in writing to CloudX, and to stop and remediate the unauthorized processing Personal Data; and (iv) each Party shall notify the other if the Party makes a determination that it can no longer meet its obligations under the CCPA.
    5. Privacy Notices. Each Party shall maintain a privacy policy and other privacy notice as required under applicable Data Protection Laws. Customer acknowledges that CloudX does not collect data directly from Data Subjects, and as between the parties, Customer is responsible for providing notices to data subjects of the processing performed in connection with the Services. Customer shall notify Data Subjects that it uses the CloudX Service, e.g. by including a statement that identifies CloudX, describes the Services and related processing, and a link to the CloudX privacy policy (Cloudx.io/privacy).
    6. Consent. To the extent consent from a Data Subject is required to process Personal Data in connection with the Services, then as between the parties, Customer is responsible for obtaining, and represents and warrants that it has obtained, any and all necessary consents from Data Subjects, in each case, as necessary to: (i) permit processing of Personal Data by CloudX in connection with its performance of the Services as further described in these Data Terms, CloudX Privacy Policy, and the Agreement; and (ii) comply with applicable Data Protection Laws. 
    7. Data Subject Rights. Customer will provide a means to receive, process, give effect, and notify CloudX of any requests by Data Subjects to exercise their rights under applicable Data Protection Laws, including (without limitation) requests to out-out of sale, “sharing”, or targeted advertising, to withdraw consent, or to object to or limit the processing of Personal Data. The Parties will cooperate as needed to fulfill such data rights requests. Each party will notify and cooperate with the other (except where prohibited by law) to all inquiries from Data Subjects or governmental authorities with respect to the processing of Personal Data in connection with the Services. Customer shall comply with all CloudX documentation regarding the presentation and enablement of Privacy Notices in connection with the Service (if any), any consent or opt-out  preference signaling (e.g. GPP) integration.  or similar notice and consent requirements.
    8. Security. Each Party will maintain reasonable technical, organizational, and physical data security safeguards to protect Personal Data from accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, access, or other processing. Each Party will notify the other without undue delay following the confirmation of a Data Incident affecting Personal Data processed under these Data Terms.
    9. Information and Audits. Each Party will cooperate with the other Party’s reasonable request from time to time for information regarding privacy and security practices and compliance with these Data Terms, including information the other Party deems necessary to comply or demonstrate compliance with applicable Data Protection Laws. Promptly following CloudX’s request, Customer shall certify to CloudX that it complies with these Data Terms, its purpose(s) or use(s) of Personal Data by that Party, as applicable, and that each such purpose or use complies with these Data Terms. Each Party may take reasonable and appropriate steps, as mutually agreed by the Parties to ensure the Party’s processing of Personal Data complies with applicable Data Protection Laws and these Data Terms.
  3. INTERNATIONAL TRANSFERS
    1. Any processing of Personal Data through the Services that involves transfers of Personal Data subject to European Data Protection Laws outside of an “adequate” jurisdiction are made subject to the International Transfer Provisions set forth on Annex II.
    2. Customer represents and warrants that it is not a covered person or country of concern. Customer is prohibited from knowingly  transferring, selling, sharing, or otherwise providing access to Personal Data to a covered person or country of concern. If Customer is a foreign person, Customer must refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person.  Customer shall take all necessary steps to prevent any access to Personal Data by Covered Persons, including (but without limitation) entering into written agreements that require foreign persons to refrain from engaging in a subsequent covered data transaction involving data brokerage of the same data with a country of concern or covered person. All terms in this Section 3.2 that are not defined in these Data Terms shall have the meaning set forth in 28 C.F.R. Part 202.
  5. ENFORCEMENT
    1. If CloudX determines in its reasonable discretion that Customer has violated these Data Terms, then CloudX may take enforcement action against Customer by limiting, suspending, or terminating Customer’s access to Personal Data or taking other action that may be reasonably necessary to protect the privacy or security of Personal Data.
    2. Notwithstanding anything to the contrary in the Agreement, CloudX may retain any documentation necessary to demonstrate its compliance with applicable Data Protection Laws consistent with legal or regulatory obligations.
    3. The Parties acknowledge and agree that the existence of these Data Terms does not constitute an admission that the disclosure of Personal Data to CloudX constitutes a sale or sharing of Personal Data.
  7. MISCELLANEOUS
    1. Priority. To the extent of any inconsistency or conflict among the following, the order of precedence shall be: (1) the SCCs (if applicable); (2) the Data Terms; and (3) the Agreement.
    2. Changes. In the event of any change in the Data Protection Laws, the Parties will negotiate in good faith toward an agreement on any additional contractual terms which may be required following such change.
    3. Applicable law. These Data Terms are governed by the law of the Agreement, provided that (i) where the SCCs apply, the applicable law as established under the SCCs shall apply, and (ii) to the extent applicable law of a given jurisdiction prohibits the application of the law of the Agreement, then the law of that jurisdiction shall apply.
    4. Termination. These Data Terms are co-terminus with the Agreement.
    5. Limitations of liability. The limitations of liability set forth in the agreement apply to the liabilities under these Data Terms, except that the limitation of liability provisions shall not apply to Customer or any of its affiliates’ breach of Section 3.2 of these Data Terms, and Customer shall indemnify, defend, and hold CloudX, and its affiliates, officers, directors, employees, and agents (collectively, the “Indemnitees”) from and against any third-party claims, suits, demands, losses, damages, liabilities, or expenses (including reasonable attorneys’ fees) arising from the same.


Annex I 

 Description of Processing

The Parties 

The Customer and CloudX, each as defined in the Agreement

Description of Processing

The performance of the Services as provided in the Agreement, including without limitation conducting real-time auctions for ad space offered by publishers and the facilitation of the serving of ads through the Services.

Activities relevant to the processing

  • Customer (as demand partner): responding to bid requests; ad serving; collection of metrics or similar customer data
  • Customer (as publisher): placing bid requests; delivering advertisements; obtaining consent to data processing
  • CloudX: conducting auctions; facilitating delivery of ad delivery and serving

Duration; retention

Personal Data will be retained for the retention periods specified in the Agreement and as otherwise set forth in these Data Terms

Categories of Personal Data

  • Mobile advertising identifiers (e.g. MAID, IDFA, etc.)
  • TCF or GPP consent strings
  • an Internet Protocol (IP) address
  • cookie IDs
  • User Agent/device characteristics (e.g. screen resolution, OS/browser version, device model, configuration parameters, etc.)
  • Application identifiers

Categories of Sensitive Data 

None

Categories of data subjects

Users of online services participating in RTB auctions facilitated via the Services

Frequency of the Transfers

Continuously


Annex 2

International Transfer Provisions

  1. GENERALLY. Transfers of Personal Data subject to Data Protection Laws of the EEA, UK and Switzerland outside of “adequate” jurisdictions shall be transferred subject to the Standard Contractual Clauses as adapted in Sections 2-4 of this Annex 2 (as applicable). 
  2. TRANSFERS FROM EEA. With respect to the transfers of Personal Data subject to GDPR made pursuant to Section 1 of this Annex 2, the parties hereby enter into to the Standard Contractual Clauses, which shall be deemed completed as follows, and incorporated into these Data Terms by this reference:
    1. The parties agree that only “Module One” (Controller-to-Controller) of the Standard Contractual Clauses shall apply to these Data Terms; 
    2. In Clause 7, the optional docking clause will not apply;
    3. In Clause 11, the optional language will not apply;
    4. In Clause 17, Option 1 shall apply, and the Standard Contractual Clauses will be governed by the law of the Agreement, provided that if such law is not the law of an EU member state, or if the Agreement does not contain a governing law provision, the Standard Contractual Clauses will be governed by the laws of Ireland;
    5. In clause 18(b), Option 2 shall apply, disputes will be resolved before the courts specified in the Agreement, provided that if such law is not the law of an EU member state, or if the Agreement does not specify a venue/forum, disputes will be resolved before the courts of Ireland;
    6. Annex I.A. and I.B. are completed with the information set forth in the Agreement, as supplemented by Annex 1 of these Data Terms. 
    7. Annex I.C. of the Standard Contractual Clauses: The competent supervisory authority shall be the supervisory authority with authority over the data exporter, or if none, the Irish DPC.
    8. Annex II is completed with the information specified in Section 2.8 of these Data Terms.
  4. TRANSFERS FROM THE UK. With respect to Transfers of Personal Data subject to UK GDPR outside the UK made pursuant to Section 1, the parties hereby enter into the Standard Contractual Clauses completed as set forth in Section 2, and further amended by the UK SCC Addendum, completed as follows, and each of which are hereby incorporated into these Data Terms by this reference:
    1. Table 1 shall be completed with the relevant information of the Customer (or its affiliate(s)) entitled to receive Services under the Agreement), and the Parties as identified in the Agreement, as supplemented by Annex I, with the “start date” the Effective Date of the Agreement;
    2. Table 2: The selection shall be “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of these Data Terms” and the table shall be completed as follows:
      1. Only Module 1 in operation, with each Party (or its affiliate(s) acting as a “Controller”;
      2. Clause 7 (Docking Clause) will not apply; 
      3. Clause 11 (Option) will not apply;
    4. Table 3: shall be completed with the information from Annex I of these Data Terms; and
    5. Table 4: Does not apply to either party.
  6. TRANSFERS FROM SWITZERLAND. With respect to transfers of Personal Data subject to the FADP outside Switzerland under Section 1, the parties hereby enter into the Standard Contractual Clauses completed as set forth in Section 2, subject to the following amendments:
    1. the term “Personal Data” shall be deemed to include information relating to an identified or identifiable legal entity;
    2. references to (articles in) the EU GDPR 2016/679 shall be deemed to refer to the corresponding articles in the FADP;
    3. reference to the competent Supervisory Authority in Annex I.C. under Clause 13 shall be deemed to refer to the Swiss Federal Data Protection and Information Commissioner;
    4. references to the European Union or Member State(s)/EU Member State(s) shall be deemed to include Switzerland; and
    5. where the Clauses use terms that are defined in the EU GDPR 2016/679, those terms shall be deemed to have the meaning as the equivalent terms are defined in the FADP.