Last Revised: 2nd Feb 2026
This Data Processing Agreement (“DPA”) governs the Processing by Vortex Media LLC Ltd., Vortex Media LLC , Inc. and their Affiliates (“Vortex”) with regard to Customer’s (“Customer”) Personal Data.
This DPA forms an integral part of the agreement executed between the parties (“Agreement”) governing the Services provided by Vortex to Customer. Capitalized terms used herein but not defined herein shall have the meanings ascribed to them in the Agreement.
This DPA sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data (as such terms are defined below) during the course of the engagement between the parties.
WHEREAS, Vortex provides publisher monetization, marketplace and advertising technology services (“Services”); WHEREAS, the Services may require Vortex to Process Personal Data on Customer’s behalf subject to the terms and conditions of this DPA; and WHEREAS, the parties desire to supplement the Agreement to achieve compliance with the UK, EU, Swiss, United States and other data protection laws and agree on the following:
1.1 “Adequate Country” is a country that has an adequacy decision from the European Commission.
1.2 “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq., as amended from time to time.
1.3 “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “Service Provider”, “Contractor”, “Sale”, “Sell”, “Share” and “Sharing” shall have the same meanings as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to a “Consumer”. “Personal Data” shall also mean and refer to “Personal Information,” as such term is defined in the CCPA.
1.4 “Consent” means an End User informed and freely given consent, that meets the requirements stipulated under Article 7 of the GDPR or under Purpose 1 of the IAB TCF Policy (as such term is defined below), where applicable.
1.5 “Customer Data” means any and all Personal Data shared or otherwise collected or processed by Vortex’s systems while providing its Services, as detailed in ANNEX I.
1.6 “Data Protection Law” means applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK Data Protection Laws, Swiss Data Protection Laws, Israeli Law and the CCPA and the Brazilian General Data Protection Law “LGPD”) as may be amended or superseded from time to time.
1.7 “EEA” means the European Economic Area.
1.8 “End User” means an individual visiting or browsing the Customer’s website, app or any other digital property operated by Customer.
1.9 “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) Regulation 2018/1725; (iii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iv) any national data protection laws made under, pursuant to, replacing or succeeding (i) – (iii); and (v) any legislation replacing or updating any of the foregoing.
1.10 “IAB Consent Management Framework” means the IAB Tech Lab’s technical specification for the GDPR transparency & consent framework.
1.11 “IAB TCF Policy” means the IAB Europe Transparency & Consent Framework – Policies, as amended or updated from time to time.
1.12 “ID” means (i) a unique identifier stored on an End-User’s device; (ii) a unique identifier generated for a specific End User; (iii) an online identifier associated with a particular device; or (iv) a cookie ID, agent ID, IP address, URL or RTB tag, or any online identifier identifying an End User or a specific device.
1.13 “Israeli Law” means Israeli Privacy Protection Law, 5741-1981, the regulations promulgated pursuant thereto, including the Israeli Privacy Protection Regulations (Data Security), 5777-2017 and other related privacy regulations.
1.14 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
1.15 “Signal” means a consent and/or privacy signal, as such term is defined under the IAB TCF Policy, where applicable.
1.16 “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021.
1.17 “Swiss Data Protection Laws” or “FADP” shall mean the Swiss Federal Act on Data Protection and any other applicable data protection or privacy laws of the Swiss Confederation as amended, revised, consolidated, re-enacted or replaced from time to time, and to the extent applicable to the processing of Personal Data under the Agreement.
1.18 “Swiss SCC” shall mean the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner.
1.19 “UK Data Protection Laws” shall mean the Data Protection Act 2018 (DPA 2018), as amended, and EU General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as incorporated into UK law as the UK GDPR, as amended, and any other applicable UK data protection laws, or regulatory Codes of Conduct or other guidance that may be issued from time to time.
1.20 “UK GDPR” shall mean the GDPR as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).
1.21 “UK SCC” means the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State.
Any other terms that are not defined herein shall have the meaning provided under the Agreement or applicable Law. A reference to any term or section of CCPA, UK Data Protection Laws or GDPR means the version as amended. Any references to the GDPR in this DPA shall mean the GDPR and/or UK GDPR depending on the applicable Law.
2.1 The parties acknowledge that in relation to all Customer Data, as between the parties, Customer is the Controller of Customer Data, and that Vortex, in the course of providing the Services is acting as a Processor on behalf of the Customer. For the purpose of the CCPA (and to the extent applicable), Customer is the Business and Vortex is the Service Provider and/or Contractor. Customer further acknowledges that Vortex may be a “Vendor” as such term is defined under the IAB TCF Policy, where applicable.
2.2 The purpose, subject matter and duration of the Processing carried out by Vortex on behalf of the Customer, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in ANNEX I attached hereto.
3.1 The Customer represents and warrants that: (i) its Processing instructions shall comply with applicable Data Protection Law; and (ii) it will comply with Data Protection Law, specifically with regard to the lawful basis principle for Processing Personal Data.
3.2 Customer acknowledges and agrees that the End User does not have a direct relationship with Vortex; however, the Services are dependent and based upon End User’s Consent or any other demonstrated lawful basis, that shall be obtained by Customer and which Vortex relies on, amongst others, in its capacity as a Vendor under the IAB TCF Policy, where applicable. Customer also acknowledges that it shall be able to demonstrate such Consent at any time and represents that such Consent exists. In addition, Customer will be able to support transmission of Consent and opt-out parameters, as further detailed in ANNEX VII. Vortex shall not be liable with respect to the obtaining of any required consent or with respect to the Signal provided by the Customer and shall transfer the Signal “as is” and as it was provided to Vortex by the Customer as further reflected in ANNEX VII. Notwithstanding the above, and solely in the EEA, where applicable, Customer shall ensure to invoke the Services only upon receiving Consent for Purpose 1 of the IAB TCF Policy (storage/access), unless it has a legal exemption to not obtain such consent.
3.3 Customer represents and warrants that any request will include the applicable Consent parameter and the Signal so that any returned content will be lawfully served. Applicable Consent parameters will be determined by Customer as per the supported consent management parameters detailed in ANNEX VII, as may be updated from time to time. Customer acknowledges and agrees that such requests may be directly transmitted to third-party advertising platforms, and such platforms will respond as per Customer’s request. Therefore, Vortex, as the technology provider, has no control over such parameters or over the Signal and shall not be responsible for any parameter or Signal that was unlawfully or misleadingly sent by Customer, nor liable for any damages resulting therefrom.
3.4 Vortex represents and warrants that it: (i) shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Services, and for the pursuit of a Business Purpose as set forth under the CCPA (as applicable), all in accordance with Customer’s written instructions including the Agreement and this DPA; (ii) in the event Vortex is required under applicable laws, including Data Protection Law or any union or member state regulation, to Process Personal Data other than as instructed by Customer, it shall inform the Customer of such requirement prior to Processing such Personal Data, unless prohibited under applicable law; and (iii) shall provide reasonable cooperation and assistance to Customer in ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of Personal Data and to consult with the supervisory authority (as applicable).
3.5 Vortex shall take reasonable steps to ensure: (i) the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process Personal Data; (ii) that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) that such personnel are aware of their responsibilities under this DPA and any applicable Data Protection Laws.
3.6 If the EU Data Protection Law or the CCPA do not apply to the Customer, then Customer must abide by any other Data Protection Law and data security laws and regulations that are applicable to it, and at a minimum Customer shall: (i) obtain and maintain any and all authorizations, permissions and informed consents, as may be necessary under applicable laws and regulations, in order to allow the Processor to lawfully collect, handle, retain, process and use the processed data within the scope of the Services; (ii) substantiate the legal basis and legitimize, pursuant to applicable law, any and all Personal Data or personally identifiable information transferred through the Services; (iii) have, properly publish and abide by an appropriate privacy policy that complies with all applicable Data Protection Law.
4.1 It is agreed that where Vortex receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Vortex, where relevant, it will direct the Data Subject or the applicable authority to the Customer in order to allow the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
4.2 Where applicable, Vortex shall assist the Customer in ensuring that Personal Data Processed is accurate and up to date, by informing the Customer without delay if it becomes aware of the fact that the Personal Data it is Processing is inaccurate or has become outdated.
5.1 It is hereby agreed that any sharing of Personal Information between the parties is made solely in order to fulfill a Business Purpose and Vortex does not receive or process any Personal Information as consideration for the Services. Notwithstanding the above, the sharing of Personal Information with third parties in advertising workflows may be considered a Sale or Sharing under the CCPA. The Customer is therefore solely liable for its compliance with the CCPA with respect to its use of the Services. It is the Customer’s sole responsibility and liability to determine whether the sharing or transferring of Personal Information of Consumers during the course of the Services constitutes a Sale or Sharing of Personal Information and it is also the Customer’s responsibility to comply with the applicable CCPA requirements in this regard, including providing a “Do Not Sell or Share” signal for end users who have exercised their right to opt out, where applicable.
6.1 The Customer acknowledges that Vortex may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby authorizes Vortex to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a sub-processor on its behalf. Vortex may continue to use those Sub-Processors already engaged by it, as listed in ANNEX III, and subject to the provision of a 30-day prior notice to the Customer, Vortex may engage an additional or replace an existing Sub-Processor to process Personal Data. In case the Customer has not objected to the adding or replacing of a Sub-Processor in the allotted time period, such Sub-Processor shall be considered as approved by the Customer. In the event the Customer objects, Vortex may, under Vortex’s sole discretion, suggest the engagement of a different Sub-Processor for the same course of services, or otherwise terminate the Agreement.
6.2 Vortex shall, where it engages any Sub-Processor, impose, through a legally binding contract between Vortex and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor (“Contract”). Vortex shall ensure that the Contract will require the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Law.
6.3 Vortex shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations in accordance with the Agreement. Vortex shall notify the Customer of any failure by the Sub-Processor to fulfil its contractual obligations.
7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and without prejudice to any other security standards agreed upon by the parties, Vortex shall implement appropriate physical, technical and organizational measures to protect the Customer Data as required under Data Protection Laws to ensure lawful processing of Customer Data and safeguard Customer Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction. The parties acknowledge that security requirements are constantly changing and that effective security requires the frequent evaluation and regular improvement of outdated security measures.
7.2 The security measures are further detailed in ANNEX II. The Customer was able to convince itself of these measures and considers them appropriate.
8.1 Vortex shall notify the Customer upon becoming aware of any confirmed Security Incident involving the Customer’s Data in Vortex’s possession or control, as determined by Vortex in its sole discretion. Vortex shall, in connection with any Security Incident affecting the Customer Data: (i) take such steps as necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) cooperate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority to the extent legally permitted; (iv) keep the Customer informed of all material developments in connection with the Security Incident and execute a response plan to address the Security Incident; and (v) cooperate with the Customer and assist Customer with the Customer’s obligation to notify affected individuals in the case of a Security Incident, as required by applicable law.
8.2 Vortex’s notification regarding or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by Vortex of any fault or liability with respect to the Security Incident.
9.1 Vortex shall respond promptly and adequately with respect to any inquiries from the Customer regarding the Processing of Personal Data in accordance with this DPA. Vortex shall make available to the Customer all information necessary to demonstrate compliance with the obligations under the EU Data Protection Law, where applicable.
9.2 Vortex shall make available, solely upon prior written notice and no more than once per year (except in the case of a Security Incident), information necessary to reasonably demonstrate compliance with this DPA to a reputable auditor nominated by the Customer, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Customer Data (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Vortex may object to an auditor appointed by the Customer in the event Vortex reasonably believes that the auditor is not suitably qualified or independent, is a competitor of Vortex or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Vortex. If the Customer commissions an auditor to carry out an inspection (including an on-site inspection), the Customer shall oblige this auditor in writing to maintain secrecy and confidentiality, unless the auditor is subject to a professional obligation of secrecy. At the request of Vortex, the Customer shall submit the corresponding agreements with the auditor to Vortex without delay.
Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Vortex’s premises, equipment, personnel and business. Any and all conclusions of such Audit shall be confidential and reported back to Vortex immediately.
Any on-site inspection requires a written advance notice of 30 days, as a general rule, and is limited to ordinary business hours and has to be undertaken in a way so it minimizes any impact of Vortex’s business operations. Any routine on-site inspections are limited to a maximum of one time per calendar year (except in the case of a Security Incident).
10.1 Transfers from the EEA, the UK or Switzerland to non-adequate third countries. Where the GDPR, UK GDPR or the Swiss FADP is applicable, if the Processing of Personal Data by Vortex (or by a Sub-Processor) includes transfer of Personal Data (either directly or through an onward transfer) to a third country outside the EEA, the UK and Switzerland that is not an Adequate Country, such transfer shall only occur if an appropriate safeguard approved by the applicable Data Protection Law (the GDPR (Article 46), UK GDPR (Article 46) or Swiss FADP (as applicable)) for the lawful transfer of Personal Data is in place.
10.2 If Vortex or its Sub-processor relies on the Standard Contractual Clauses to facilitate a transfer to a third country that is not an Adequate Country, then:
10.2.1 transfer of Personal Data from the EEA the terms set forth in ANNEX IV shall apply.
10.2.2 transfer of Personal Data from the UK, the terms set forth in ANNEX V shall apply; and
10.2.3 transfer of Personal Data from Switzerland, the terms set forth in ANNEX VI shall apply.
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. For the avoidance of doubt, in the event Standard Contractual Clauses have been executed or incorporated between the parties, the terms of the Standard Contractual Clauses shall prevail over those of this DPA. Except as set forth herein, all of the terms and conditions of the Agreement shall remain in full force and effect.
12.1 This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement terminates. The Customer shall be entitled to suspend the Processing of its Customer Data in the event that Vortex is in breach of Data Protection Laws or the terms of this DPA in accordance with a binding decision of a competent court or the competent supervisory authority.
12.2 Vortex shall be entitled to terminate this DPA or terminate the Processing of Customer Data in the event that Processing of Personal Data under the Customer’s instructions or this DPA infringes applicable legal requirements, subject to informing the Customer and providing the Customer an opportunity to modify its instructions unless prohibited by law.
12.3 Following the termination of this DPA, Vortex shall, at the choice of the Customer, delete all Customer’s Personal Data processed on behalf of the Customer and certify to the Customer that it has done so, or otherwise, return all Customer Data to the Customer and delete existing copies unless applicable law or regulatory requirements require that Vortex continue to store the Customer’s Personal Data. Until the Personal Data is deleted or returned, Vortex shall continue to ensure compliance with this DPA.
This ANNEX I includes certain details of the Processing of the Customer Data as required by Article 28(3) GDPR.
Categories of Data Subjects:
End Users / Data Subjects that viewed targeted and personalized ads or content provided by third-party advertisers (displayed through the Services) which are placed on the Customer’s inventory.
Categories of Personal Data:
IDs.
Special Categories of Personal Data:
Not Applicable.
Process Frequency:
The Personal Data is transferred on a continuous basis.
Nature of the Processing:
Transmission and optimization.
Purpose(s) of Processing:
Processing carried out in connection with the provision of the Services.
Retention Period:
For as long as needed to provide the Services, comply with applicable laws or otherwise requested by the Controller. For avoidance of doubt, the IDs are used in real time and are not stored or kept by Vortex. Logs tracing events are stored between 7 to 30 days for fraud prevention purposes.
Description of the technical and organizational measures implemented by Vortex (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
The security objectives of Vortex are identified and managed to maintain a high level of security and consist of the following (concerning all data assets and systems):
Availability – information and associated assets should be accessible to authorized users when required. The network must be resilient. Vortex must detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.
Confidentiality – ensuring that information is only accessible to those authorized to access it, on a need-to-know basis.
Integrity – safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification of electronic data.
Vortex’s databases and production systems are accessible only by authorized personnel. Personal data processed and stored by Vortex is stored with reputable third-party cloud providers and access is granted through individual user authentication. Access to systems is restricted and based on procedures to ensure appropriate approvals are provided solely to the extent required. Remote access requires appropriate safeguards, including VPN protection or equivalent security controls. Systems are protected and authorized employees may access systems using designated username and password protections.
Vortex secures physical access to its offices and ensures that only authorized persons such as employees have access. Vortex works with reputable third-party data centers as its primary storage and processing environment. Transfers of Personal Data are secured and encrypted. Vortex enters into applicable and binding data processing agreements with its vendors and customers.
All access to databases, systems or storage is subject to authorization controls and credential protection. Access to Personal Data is restricted to employees with a need-to-know and is protected by usernames and passwords. Vortex logs and monitors access and investigates alerts indicating anomalous activity. Vortex revokes access upon termination of employment or role change.
Vortex educates its employees and service providers and raises awareness, risk and assessment with regard to processing of Personal Data. Security testing is performed on a regular basis. Vortex maintains IT security practices including anti-malware protection, firewalls and endpoint controls designed to protect against malicious use. Personnel are responsible for complying with security practices and standards.
Vortex implements measures to help ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during electronic transmission or storage. Transfers of data between servers, from client-side to server-side and between designated partners are secured.
Vortex’s servers include automated backup procedures. Vortex maintains industry-standard security measures and encryption of Personal Data in transit and at rest.
Personal Data is deleted as soon as feasible in accordance with retention requirements set forth in ANNEX I and applicable law.
External penetration tests may be performed on a periodic basis. Vortex conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after significant changes. Identified deficiencies are remediated in a timely manner.
Employees, vendors and processors are bound by agreements that include applicable data protection and data security obligations. Vortex may provide periodic compliance and security training.
Vortex ensures an appropriate level of technical and organizational security measures at Sub-Processors involved in order to process Personal Data within an appropriate and secure framework.
If Sub-Processors are involved in the processing of Personal Data (e.g., hosting, provision of data-center space, cloud services, operating software etc.), implementation of technical and organizational measures by the respective Sub-Processor will be ensured by corresponding data processing agreements, if necessary.
The following Sub-Processors / subcontractors are involved by Vortex:
SUB-PROCESSORS APPLICABLE FOR ALL COUNTRIES / CUSTOMERS:
Sub-processor (Company Name, Address) | Service Type | Location of data center / processing | Address |
Amazon Web Services | Cloud Provider / Infrastructure | US-East 1 – N. Virginia | Amazon Web Services, Inc., 410 Terry Avenue North, Seattle, WA 98109-5210 |
Google Cloud Platform | Cloud Provider / Infrastructure | US/Europe | 1600 Amphitheatre Parkway, Mountain View, CA 94043 |
Akamai | CDN Provider | Worldwide | 3715 Northside Parkway, N.W., Bldg. 200, Suite 300, Atlanta, GA 30327 |
StackPath | CDN Provider | Worldwide | 1950 N Stemmons Fwy Suite 1001, Dallas, TX 75207, United States |
Site 24×7 | Monitoring & SIEM | US | 4141 Hacienda Drive, Pleasanton, CA 94588, USA |
Google Workspace | Email, Users and Productivity Tools | Worldwide | 1600 Amphitheatre Parkway, Mountain View, CA 94043 |
SpotInst | Cloud Ops | US | Shalom Meir Tower, Tel Aviv-Yafo, 6525101 |
HUMAN Security | Fraud Detection | Worldwide | 111 West 33rd Street, 11th Floor, New York, NY 10001 |
Where applicable, for transfers of Personal Data from Switzerland to non-adequate countries, the Standard Contractual Clauses shall apply, with modifications required under Swiss Data Protection Laws, including that: (i) references to GDPR shall be interpreted to include the Swiss FADP where applicable; (ii) the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner; and (iii) data subjects in Switzerland shall be entitled to enforce their rights under the Standard Contractual Clauses.
Case | Action |
CMP IAB Framework parameters available | Customer will pass the GDPR and CONSENT parameters to Vortex components based on Vortex technical documentation, and Vortex will pass the parameters and Signal accordingly to third parties “as is”. |
CMP IAB Framework parameters are not available | Customer will initiate the call to Vortex components without any special parameters, and Vortex will make calls to its third parties without passing any special parameters. In this case some third parties will treat the request as “consent granted” and process the request by serving personalized or contextual ads, while others will not process the request.
|
Where Vortex is obliged by this Agreement to provide services beyond the scope of the Agreement (‘Additional Services’), these services shall be remunerated separately according to time and materials expended. This may include activities related to Sections 4 (Data Subject requests), 8 (Security Incident support), and 9 (Audits), except where such services are required due to a breach within Vortex’s responsibility.
Subject to the Agreement, remuneration for Additional Services is based on an hourly rate of EUR [●] plus applicable taxes.
