This Data Processing Agreement ("DPA") is a legally binding agreement between you ("Publisher" or "Data Controller") and BLUESEA (hereinafter referred to as "we", "BLUESEA", or "Data Processor"). The DPA forms an integral part of the Publisher Service Agreement("Main Agreement") entered into between you and us.

1. Definitions

Unless otherwise specified, the following terms shall have the meanings set forth below in this DPA:

"Data Controller" means the entity that determines the purposes and means of the processing of Personal Data.

"Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation or set of operations performed on Personal Data, including, but not limited to, collection, storage, use, disclosure, deletion, and other operations.

"Data Subject" means the natural person to whom the Personal Data relates.

"Sub-processor" means a third-party processor engaged by the Data Processor to assist in fulfilling its data processing obligations under this Agreement.

"GDPR" means the General Data Protection Regulation (EU) 2016/679 of the European Union.

"Services" means the mobile advertising delivery, bidding, attribution analysis, and other related advertising technology services provided by BLUESEA.

2. Roles and Scope of Processing

2.1 The Parties acknowledge that under this DPA, the Data Controller determines the purposes and means of processing Personal Data, and the Data Processor shall process Personal Data solely in accordance with the Data Controller’s written instructions.

2.2 The Data Controller agrees to publicly post a privacy policy that describes its processing of Personal Data and complies with applicable data protection laws. The Data Controller shall disclose in its privacy policy its use of the Services and how BLUESEA processes Personal Data.

2.3 When using or accessing the Services, the Data Controller shall process Personal Data in compliance with applicable data protection laws and shall ensure that all instructions provided to BLUESEA regarding such processing are lawful. The Data Controller shall ensure that it has obtained valid consent from Data Subjects and other requisite legal bases for processing as required by applicable data protection laws. Upon BLUESEA’s request, the Data Controller shall provide written evidence of such consent and legal bases, including but not limited to the date of consent and the exact consent language presented to the Data Subjects. The Data Controller shall bear full responsibility for the accuracy, quality, and lawfulness of the Personal Data, as well as the manner in which such Personal Data is obtained from users.

2.4 Purpose of Processing: To fulfill the advertising services under the Agreement, including but not limited to ad delivery, frequency capping, fraud prevention, attribution analysis, and billing settlement.

2.5 Types of Personal Data may include:

Mobile device identifiers (e.g., IDFA, GAID, IP address)

Application usage behavior data (e.g., clicks, installs, sessions)

Business contact information (e.g., name, email, and position of customer employees)

2.6 Categories of Data Subjects:

End users of the Controller’s mobile applications

Authorized representatives or employees of the Controller

3. Obligations of the Processor

3.1 BLUESEA shall:

(a) Process Personal Data solely in accordance with the Controller’s instructions;

(b) Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations;

(c) Implement appropriate technical and organizational security measures (as specified in Section 5);

(d) Assist the Controller in responding to Data Subject requests regarding their rights under the GDPR/PDPA (including, but not limited to, access, rectification, erasure, and data portability);

(e) Notify the Controller without undue delay upon becoming aware of a personal data breach.

3.2 BLUESEA may engage third-party Sub-processors to perform processing activities, provided that it notifies the Controller at least 30 days in advance via email or by publishing the notice on its official website. If the Controller does not submit a written and reasonable objection within 15 days of receiving such notice, the engagement of the Sub-processor shall be deemed approved. BLUESEA shall maintain and promptly update a current list of authorized Sub-processors on its official website. BLUESEA shall bear joint and several liability to the Controller for the data processing activities carried out by its Sub-processors.

4.  Cross-Border Data Transfer

4.1 To ensure that personal data transferred by the Data Controller to BLUESEA receives adequate protection in compliance with the requirements of the General Data Protection Regulation (GDPR) of the European Union, the Parties agree to incorporate the updated Standard Contractual Clauses (SCCs) set forth in the European Commission’s Decision (EU) 2021/914 of June 4, 2021, as an integral part of this Data Processing Agreement.

The Parties confirm that the data transfer relationship under this Agreement constitutes a Controller-to-Processor scenario, and Module Two of the SCCs shall apply. Specifically:

The Data Exporter is the Publisher (acting as the Data Controller);

The Data Importer is BLUESEA (acting as the Data Processor).

The specific details required by the SCCs—including categories of Data Subjects, types of Personal Data, special categories of data (if applicable), purposes of processing, duration of processing, and technical and organizational security measures—shall be set forth in Appendix I of this Data Processing Agreement.

In the event of any inconsistency or conflict between this Data Processing Agreement and the SCCs, the provisions of the SCCs shall prevail.

Furthermore, the Parties commit to jointly assess, in accordance with Clause 14 of the SCCs and the European Data Protection Board’s (EDPB) Recommendations 01/2020 on Supplementary Measures, whether the laws and practices of the jurisdiction in which the Data Importer is established may impede the effective implementation of the SCCs. Where necessary, the Parties shall implement appropriate supplementary measures of a technical, organizational, or contractual nature to ensure that Personal Data continues to benefit from a substantially equivalent level of protection as required by the GDPR following the transfer.

4.2 BLUESEA undertakes to comply with all provisions of the SCCs and, where applicable, to conduct a Transfer Impact Assessment (TIA).

5. Security Measures

BLUESEA has implemented and maintains security measures compliant with industry standards, including:

Encryption of data (both in transit and at rest);

Access controls and authentication mechanisms;

Regular security audits and vulnerability management;

Employee data protection training.

The complete security policy is available upon request.

6. Audit Rights

The Data Controller may engage, once per calendar year, a third-party auditor mutually agreed upon by both Parties to audit BLUESEA, solely to fulfill the Data Controller’s audit obligations under applicable data protection laws. To initiate an audit, the Data Controller must submit a detailed audit plan at least four (4) weeks prior to the proposed audit date. The audit shall be conducted during normal business hours, subject to confidentiality obligations and BLUESEA’s internal policies, and shall not unreasonably disrupt BLUESEA’s business operations. All costs associated with the audit shall be borne by the Data Controller.

7.  Data Return and Deletion

Upon termination or expiration of the Agreement, BLUESEA shall, at the Data Controller’s election, delete or return all Personal Data and provide written certification of destruction. If BLUESEA is legally required to retain any portion of the Personal Data pursuant to applicable laws or regulations, it shall promptly notify the Data Controller in writing, specifying the relevant legal basis, categories of data retained, and the intended retention period. During such retention period, BLUESEA shall ensure the continued security of the retained data and shall process it only to the extent necessary to comply with the stated legal obligation.

8. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Singapore. Any dispute arising out of or in connection with this DPA shall be referred to arbitration administered by the Singapore International Arbitration Centre (SIAC) in accordance with its Rules.

Appendix I

This Appendix forms an integral part of the EU Standard Contractual Clauses (2021 version) executed by the Parties under this Agreement and specifies the details required under Module Two (Controller-to-Processor) of the SCCs.

1.  Data Subjects

The Data Subjects whose Personal Data is transferred include, but are not limited to:

End users of the Data Controller (e.g., advertising audiences, application users, website visitors);

Customers or potential customers of the Data Controller;

Employees of the Data Controller (e.g., provided in necessary scenarios such as account management or technical support);

Other natural persons lawfully collected by the Data Controller and provided to BLUESEA.

2. Types of Personal Data

The transferred Personal Data may include the following categories (depending on the specific business scenario):

Basic identity information: user ID, device ID (e.g., GAID, IDFA), IP address, Cookie identifiers;

Device and network information: device model, operating system, browser type, network operator, time zone, language settings;

Behavioral data: ad clicks, impressions, conversion events, page browsing paths, application usage behavior;

Geolocation information (only where authorized by the user): approximate location (city/region level) or precise GPS coordinates (solely under explicit consent);

Other data lawfully provided by the Data Controller relevant to advertising services (excluding direct identifiers such as name, national ID number, or phone number, unless a separate lawful basis exists and is explicitly disclosed).

Note: Special categories of Personal Data (e.g., racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, etc.) are not processed unless the Data Controller provides prior written notice, obtains BLUESEA’s explicit consent, and establishes a lawful basis as required under Article 9 of the GDPR.

3. Sensitive Data

None.

4. Purpose of Processing

BLUESEA, as Processor, shall process Personal Data solely for the following purposes:

Providing programmatic advertising delivery, audience targeting, frequency capping, and anti-fraud services;

Measuring advertising effectiveness (e.g., click-through rate, conversion attribution analysis);

Optimizing advertising algorithms and user experience;

Delivering technical and operational support necessary to fulfill the commercial agreement between the Parties;

Complying with applicable laws, regulations, or regulatory obligations (e.g., responding to lawful law enforcement requests).

5. Duration of Processing

Processing of Personal Data shall commence upon the initial transfer and terminate upon the earliest of the following:

Within 30 days after termination or expiration of the main service agreement between the Parties;

Upon written request by the Data Controller for data deletion;

Within 7 days after the data has fulfilled its processing purpose (e.g., conclusion of the advertising attribution window);

Upon expiration of the minimum retention period mandated by applicable laws and regulations.