Niantic Controller-Controller Data Processing Agreement

Effective Date: May 24, 2022

Niantic and you, the party agreeing to these terms (“Customer”), have entered into an agreement for access to and use of the Lightship SDK, the Lightship API and the Lightship Services (collectively herein, “Lightship”), as amended from time to time (the “License Agreement”). This Controller-Controller Data Processing Agreement (the “Controller Agreement”) is entered into between you and Niantic, together with any attachments and appendices, and are incorporated by reference into the License Agreement.

This Controller Agreement reflects the parties’ agreement on the processing of Controller Personal Data in connection with the Applicable Data Protection Law.

DEFINITIONS

1. “Affiliate” shall mean, as to any entity, any other entity that, directly or indirectly, controls, is controlled by or is under common control with such entity.
2. “Applicable Data Protection Law” shall mean any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (including any and all legislative and/or regulatory amendments or successors thereto), to which a party to this Controller Agreement is subject and which is applicable to a party’s information protection and privacy obligations. For the avoidance of doubt, Applicable Data Protection Law shall include without limitation the EU GDPR and the UK GDPR (each as defined below).
3. “Controller Data Subject” shall mean any individual to whom Controller Personal Data relates.
4. “Controller Personal Data” shall mean any information processed by a party under the Agreement in connection with your access to or use of Lightship that identifies an individual or directly or indirectly relates to an identifiable individual.
5. “Customer SCCs” means the EU SCCs and the UK SCCs (each as defined below), as appropriate.
6. “EU GDPR” means the General Data Protection Regulation (Regulation 2016/679).
7. “EU SCCs” means the Standard Contractual Clauses (Module One, excluding Clause 7, Clause 11 (Option)) approved by the European Commission in decision 2021/914/EC.
8. “Niantic” means Niantic, Inc. if you reside in the United States, or Niantic International Ltd. if you reside outside of the United States.
9. The terms “controller”, “data subject”, “personal data”, “processing” and “processor” as used in this Controller Agreement have the meanings given in the EU GDPR, and the terms “data importer” and “data exporter” have the meanings given in the EU SCCs.
10. “UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the UK Data Protection Act 2018.
11. “UK SCCs” means the Standard Contractual Clauses for data controller to data controller transfers approved by the European Commission in decision 2004/915/EC.

ROLES AND RESTRICTIONS

Each party to this Controller Agreement: (a) is an independent controller of Controller Personal Data under Applicable Data Protection Law; (b) will individually determine the purposes and means of its processing of Controller Personal Data; and (c) will comply with the obligations applicable to it under Applicable Data Protection Law with respect to the processing of Controller Personal Data. Nothing in this Section 2 shall modify any restrictions applicable to either party’s rights to use or otherwise process Controller Personal Data under your License Agreement or other agreements with Niantic, and you will process Controller Personal Data solely and exclusively for the purposes specified in such License Agreement or other agreements.

DATA TRANSFERS

12. Either party may transfer Controller Personal Data to third countries if it complies with the provisions on the transfer of personal data to third countries in the Applicable Data Protection Law.
13. Where a party receiving Controller Personal Data is located in a country not recognized by the European Commission as providing an adequate level of protection for Personal Data within the meaning of the EU GDPR (a “Restricted Transfer”), no Controller Personal Data processed within the European Economic Area, the United Kingdom or Switzerland (“EEA”), by either of the parties pursuant to this Controller Agreement shall be exported outside the EEA (or transferred onward to another non-EEA location) without a legally recognized transfer mechanism. To that end the EU SCCs are hereby incorporated by reference and shall apply to any Restricted Transfers under this Controller Agreement, provided that Annex I and II of the EU SCCs shall be deemed completed as set forth in Attachment 2 and 3 to this Controller Agreement. The parties agree that the law of Belgium shall be the governing law for the purposes of clause 17 of the EU SCCs, and the Belgian Courts shall have jurisdiction for the purposes of clause 18(b) of the EU SCCs.
14. With respect to transfers subject to the UK GDPR, the UK SCCs are hereby incorporated by reference and shall apply in addition to the EU SCCs, provided that Annex B of the UK SCCs shall be deemed completed as set forth in Attachment 1 to this Controller Agreement. In the event of a conflict or inconsistency between the EU SCCs and the UK SCCs, the provisions which provide the most protection to data subjects shall prevail.
15. The Customer SCCs shall, as of the Effective Date of this Controller Agreement, supersede and replace any standard contractual clauses previously entered in to between the parties in connection with this Controller Agreement.

SECURITY AND CONFIDENTIALITY

16. Each party shall implement appropriate technical and organisational measures to protect the Controller Personal Data from a possible or actual unauthorized access or disclosure, unauthorized, unlawful or accidental loss, destruction, acquisition of or damage to Personal Information, or any other breach of Applicable Data Protection Law or Controller Agreement in relation to the Processing of Personal Information by any current or former employee, contractor or agent of Customer or by any other person or third party (“Security Incident”).
17. In the event that a party experiences a Security Incident, it shall notify the other party without undue delay, but in any event within seventy-two (72) hours of it confirming same, and both parties shall cooperate in good faith to agree and take such measures as may be necessary to mitigate or remedy the effects of the Security Incident. Nothing herein prohibits either party from providing notification of the Security Incident to regulatory authorities as may be required by Applicable Data Protection Laws prior to notification of the other party so long as the notifying party provides notification to the other party without undue delay. Each party shall ensure that all of its personnel who have access to and/or process Controller Personal Data are obliged to keep the Controller Personal Data confidential.

AMENDMENTS

Niantic may from time to time add new components to Lightship and/or modify Lightship. As a result, Niantic may subject your continued use of Lightship to your acceptance of additional or amended terms, including amendments to this Controller Agreement. In case of a conflict between this Controller Agreement and additional terms applicable to a given component of Lightship, this Controller Agreement will control.

TERM AND TERMINATION

This Controller Agreement shall be effective as of the date on which Customer clicked to accept or the parties otherwise agreed to this Controller Agreement. Notwithstanding anything to the contrary in the License Agreement, the obligations pursuant to this Controller Agreement shall survive termination of the License Agreement for as long as you hold or process Controller Personal Data.

MISCELLANEOUS

18. The liability of the parties under or in connection with this Controller Agreement will be subject to the exclusions and limitations of liability in the License Agreement.
19. This Controller Agreement shall be governed by the laws of the jurisdiction specified in the License Agreement. Notwithstanding the foregoing and anything to the contrary in the License Agreement, if Applicable Data Protection Laws require application of the laws of another jurisdiction to this Controller Agreement, such laws shall govern.
20. The parties agree that Affiliates are intended third party beneficiaries of this Controller Agreement and that the provisions of this Controller Agreement are intended to inure to the benefits of such Affiliates. Without limiting the foregoing, such Affiliates will be entitled to enforce all processing and transfer provisions of this Controller Agreement as if each was a signatory to this Controller Agreement.
21. Each party warrants that the execution and performance of its obligations under this Controller Agreement do not conflict with or violate any other instrument, contract, agreement, or other commitment or arrangement to which it is a party or by which it is bound, and that it knows of no other fact or circumstance that prevents it from entering into this Controller Agreement.

---

Attachment 1

ANNEX B TO THE UK SCCs

DESCRIPTION OF THE TRANSFER

(Capitalized terms used in this Annex are as defined in the Controller Agreement)

Data subjects

Depending on the nature of the access to or use of Lightship, data subjects may include individuals: (a) who are customers or users of the products or services of Customer; (b) who are customers or users of the products or services of Niantic; and/or (c) who have visited specific websites or applications in connection with access to or use of Lightship.

Purposes of the transfer(s)

The transfer is made for the following purposes: to facilitate access to and use of Lightship by Customer; in the case of Niantic, as described in the License Agreement, the Niantic Business and Developer Services Privacy Policy, and/or the Niantic Privacy Policy.

Categories of data

The personal data transferred concern the categories of personal data described in the License Agreement, the Niantic Business and Developer Services Privacy Policy, and/or the Niantic Privacy Policy.

Recipients

The personal data transferred may be disclosed only to the following recipients or categories of recipients:

• In the case of Niantic, as described in the License Agreement, the Niantic Business and Developer Services Privacy Policy, and/or the Niantic Privacy Policy.
• In the case of Customer, as permitted under the License Agreement, applicable Customer privacy policy, or the Controller Agreement.

Special data (if appropriate)

The personal data transferred concern the following categories of sensitive data: Not applicable, unless specified in the License Agreement and/or applicable privacy policy.

Data protection registration information of data exporter (where applicable)

When required under applicable data protection law, the data exporter will file relevant registration(s) in its relevant location(s).

Additional useful information (storage limits and other relevant information)

None.

Contact points for data protection enquiries

Data importer (controller)

Niantic, Inc. or Niantic International Ltd.: contact details as stated in the License Agreement.

Data exporter (controller)

Customer: contact details as stated in Customer’s privacy policy.

---

Attachment 2

ANNEX I TO THE EU SCCs

A. LIST OF PARTIES

Data exporter(s):

Name: Customer

Address: As stated in the Customer’s privacy policy

Contact person’s name, position and contact details: As stated in the Customer’s privacy policy

Activities relevant to the data transferred under these Clauses: The data exporter will receive access to the Niantic Services as defined in the License Agreement.

Signature and Date: These SCCs shall become binding on both parties upon the Customer’s acceptance of the License Agreement.

Role (controller/processor): Controller

Data importer(s):

Name: Niantic, Inc. or Niantic International Limited

Address: As stated in the License Agreement

Contact person’s name, position and contact details: As stated in Niantic’s privacy policy.

Activities relevant to the data transferred under these Clauses: The data importer will provide the data exporter with Niantic Services as defined in the License Agreement.

Signature and Date: These SCCs shall become binding on both parties upon the Customer’s acceptance of the License Agreement.

Role (controller/processor): Controller

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As described in Attachment 1 to this Controller Agreement

Categories of personal data transferred

As described in Attachment 1 to this Controller Agreement

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

As described in Attachment 1 to this Controller Agreement

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal Data may be transferred on a continuous basis in accordance with the terms of the License Agreement and this Controller Agreement.

Nature of the processing

The data importer will process Personal Data to provide the Services in accordance with the License Agreement and this Controller Agreement.

Purpose(s) of the data transfer and further processing

As described in Attachment 1 to this Controller Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The period for which the personal data will be retained will be determined by the Data Importer in accordance with its data privacy and data retention policies.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

As above

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The competent supervisory authority shall be the supervisory authority of the EU Member State in which the data exporter is established (or alternatively, the supervisory authority of the EU Member State in which the data exporter’s representative is established, where the data exporter has appointed such a representative pursuant to Article 27(1) of Regulation (EU) 2016/769). If the data exporter is not established in an EU Member State, and is not required to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/769, the competent supervisory authority shall be the Belgian Data Protection Authority.

---

Attachment 3

ANNEX II TO THE EU SCCs

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The Data importer’s security measures shall include, at a minimum:

• Preventing unauthorized persons from gaining access to Personal Information Processing systems (physical access control);
• Preventing Personal Information Processing systems being used without authorization (logical access control);
• Ensuring that persons entitled to use a Personal Information Processing system gain access only to such Personal Information as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Information cannot be read, copied, modified or deleted without authorization (data access control);
• Ensuring that Personal Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Information by means of data transmission facilities can be established and verified (data transfer control);
• Ensuring the establishment of an audit trail to document whether and by whom Personal Information have been entered into, modified in, or removed from Personal Information Processing (entry control);
• Ensuring that Personal Information are protected against accidental destruction or loss (availability control); and
• Ensuring that Personal Information collected for different purposes can be processed separately (separation control).