DIGITAL TECH AGREEMENT

LAST UPDATED: February 2, 2026
1. INTRODUCTION
    1. This WBD Digital Tech Agreement (the "DTA") applies to the Processing of WBD Information for digital analytics, marketing, advertising, research, planning, performance, measurement, and similar purposes as described in the Description of Processing, attached to the relevant Agreement and incorporated herein by reference (“Description of Processing”) and in any agreement between Company and WBD (the “Relevant Purposes”).
    2. This DTA is supplemental to and forms part of any agreement between Company and WBD under which Company Processes WBD Information for the Relevant Purposes (each, an “Agreement”) and is effective as of the date executed by Company.
2. DEFINITIONS
    1. All capitalized terms in this DTA shall have the meaning set forth in the WBD Data Protection Definitions available at: www.wbdprivacy-b2b.com/definitions, as updated or amended by WBD from time to time and which are incorporated herein by reference
3. LEGAL REQUIREMENTS
    1. Compliance with Rules. Company and WBD will each comply with all applicable Rules. Company will not cause WBD to violate its obligations under the Rules. Company will notify WBD at wbdprivacy@wbd.com if it can no longer meet its Rules obligations or if its continued processing will cause WBD to violate the Rules.
    2. Privacy Notice Requirements. Each Party will ensure that its digital properties contain a conspicuous privacy notice that, if applicable: (i) discloses the usage of Tracking Technologies and Personal Information for the Relevant Purposes; (ii) contains information about opt-out mechanism(s) for the Relevant Purposes, and (iii) includes all other information required by the Rules.
    3. Global Data Processing Obligations. Company will comply with the Global Privacy Obligations if accessing or processing Personal Information for the Relevant Purposes. Company will act as a Processor except as specified in the Description of Processing. Company will provide the same level of data protection as required under the DTA to all WBD Information.
    4. Minors’ Online Protection Laws. Company will not process WBD Information in a manner that would allow Company or third parties to target advertising or marketing to a Minor. Company will comply with the Minor’s Online Protection Obligations if Minors are in scope for the Relevant Purposes.
    5. Video Privacy. Company will not process WBD Information in a manner that would enable an ordinary person to identify or reveal a particular individual as having requested or obtained specific video materials or services, including and without limitation by processing WBD Information in a manner that would allow Company or a third party to associate a user identifier, device identifier, or other personal information with specific video materials or services such as a video title.
    6. Sensitive Personal Information. Company will not process Sensitive Personal Information in connection with the Relevant Purposes unless (i) specified in the Description of Processing, (ii) done in compliance with all Rules and the DTA, (iii) it has received a mutually agreed upon consent signal from WBD for the processing of sensitive personal information (where required), and (iv) necessary to provide services to WBD.
    7. Information Security. Company and WBD will maintain reasonable and appropriate technical and organizational measures in compliance with the Rules. Company shall employ industry standard security measures, including without limitation, secure firewalls, encryption technologies and password-protected access, which safeguard against accidental and unauthorized access to, alteration or destruction of WBD Information. Company shall at all times during the Term of the Agreement and while any WBD Information are in its possession or control after the expiration or termination of the Agreement, implement and maintain physical, electronic and organizational security measures that are at a minimum in accordance with ISO/IEC 27001 best practices and standards or any successor standards for information security management to protect WBD Information against any unauthorized access, use, destruction, loss, or improper alteration. If there is any unauthorized access to any WBD Information, Company will report unauthorized access and other incidents to cybersecurity@wbd.com in no case later than twenty-four (24) hours of becoming aware and cooperate with WBD in addressing such unauthorized access.
    8. Third Party Data. Company will ensure that its use of third-party data complies with all Rules. Company will not provide and will not permit others to provide WBD Information to Data Brokers. The parties will work together in good faith to help prevent WBD being considered a Data Broker.
    9. Aggregated or De-identified Information. Company may process WBD Information that has been Aggregated, De-identified, or Anonymized such that it does not (i) attempt or permit third parties to reidentify or disaggregate such WBD Information, including by association with personal information, and (ii) identify, and cannot be used to identify, WBD as the source of the information (a) for the Relevant Purposes, and (b) for Company’s internal use to build or improve the quality of the services it is providing to WBD.
    10. Deletion. Upon termination of this DTA or as otherwise instructed by WBD, Company will promptly delete and cause all relevant services providers and third parties to delete WBD Information, and any models created from WB Information.
    11. Onward Sharing Requirements. Company will ensure that any service provider or third party, including Company’s tracking technology vendors, that receives access to WBD Information through Company’s use of such vendors, has executed a contract materially aligned with this DTA. Upon request, Company will provide WBD with sufficient information to confirm its compliance with this DTA.
    12. Log-level data. Company will help facilitate or provide WB with access to all relevant log-level data containing WB Information. Representative will take steps to ensure that it does not share any information which is restricted by the Rules or its contracts with third parties.
    13. Bulk U.S. Sensitive Personal and Government-Related Data. If Company is a Foreign Person, Company is prohibited from engaging or attempting to engage in, or permitting others to engage or attempt to engage in selling, licensing of access to, or other similar commercial transactions, such as reselling, sub-licensing, leasing, or transferring in return for valuable consideration, WBD Information or any part thereof, to Countries of Concern or Covered Persons. Where Company, as a Foreign Person, knows or suspects that a Country of Concern or Covered Person has gained access to WBD Information, Company will immediately inform WBD at wbdprivacy@wbd.com. Failure to comply with the above will constitute a breach of this Agreement and may constitute a violation of 28 CFR part 202. If 28 CFR part 202 applies, Company confirms that Company is in compliance with 28 CFR part 202 and any other prohibitions, restrictions or provisions applicable to Bulk U.S. Sensitive Personal and Government-Related Data, and Company agrees to annually certify to WBD, in writing, Company’s compliance with 28 CFR part 202. Company agrees to not evade or avoid, cause a violation of, or attempt to violate any of the prohibitions set forth in Executive Order 14117 or 28 CFR part 202.
4. SPECIFIC USE RESTRICTIONS
    1. WBD Information is made available to Company only for the Relevant Purposes specified in the Description of Processing. Company understands and certifies that it will not and will not cause or assist any third party to:
      1. collect, retain, transfer, rent, lease, use, combine, sell, share, target, or disclose WBD Information for (1) monetary consideration; and (2) any other purpose other than a (i) Relevant Purpose, or (ii) Business Purpose;
      2. retain or use WBD information provided for matching for (i) any other purpose or (ii) to match Directly Identifying Information in an environment that is connected to the public internet, except as agreed upon in writing by WBD;
      3. alter, compromise, bypass or undermine any query restrictions, access permissions or other security controls established by WBD, including in a DCR Environment;
      4. link or associate Pseudonymous identifiers or device identifying information with any persistent identifiers or any Directly Identifying Information (e.g., not link mobile ad IDs with email addresses);
      5. use Pseudonymous identifiers generated from WBD information, including tokenized or hashed email addresses, except as necessary to support the Relevant Purposes requested by WBD;
      6. create or enhance individual, device, or household advertising, marketing, or analytics profiles (including targeting or contextual profiles) with WBD Information, except as necessary for the Relevant Purposes to provide services to WBD only;
      7. create or enhance its cross-device linkages, device-graphing, or identity resolution with WBD Information;
      8. create or enhance audience segments, except (i) as necessary for the Relevant Purposes to deliver services for WBD only, (ii) only in a manner that obscures WBD, its IP, and relevant distribution platforms from segment names and associated metadata, (iii) to the extent segments contain at least 75 unique individuals, devices, or households, and (iv) in conformance with other written guidance from WBD, including with respect to segment naming conventions;
      9. use a device or process that records or decodes dialing, routing, addressing, or signaling information on WBD websites, apps, or services;
      10. introduce Tracking Technologies into ad creative except as described in the Description of Processing and expressly approved in writing by WBD;
      11. use IP addresses from WBD Information as the sole basis for targeting a user, device, or household;
      12. collect, derive, or utilize Location Information for the Relevant Purposes except as necessary for the Relevant Purposes and only then where expressly approved in writing by WBD identified in the Description of Processing;
      13. incorporate or use AI in connection with the Relevant Purposes, including in any databases, software, or models without WBD’s prior written approval (e.g., as identified in the Description of Processing); and
      14. use any WBD Information to develop, create, train, model, enhance, improve, advertise, or market AI products or services to any third parties, including other customers.
5. CONSENT SIGNALS
    1. Company will implement and support industry standard technologies to support consumer consent preferences as required by the Rules or as requested by WBD. Where Company and WBD have agreed that Company will receive a consent signal, Company will honor the signal as required by the Rules. For the avoidance of doubt, when Company receives a consent signal indicating that the individual has opted out of Sales, Sharing, or Targeted Advertising, Company shall use WBD Information about that individual only for a Business Purpose specified in the Description of Processing or as otherwise permitted by the Rules and Company shall not Sell, Share, or Process WBD Information for Targeted Advertising. Company is solely liable for its compliance with the Rules and WBD makes no warranties or representations that platform, developer, or industry consent signals comply with all applicable laws or meet Company’s legal or regulatory obligations. In the absence of consent, Company will support the delivery of Contextual Advertising, First Party Advertising, Frequency Capping, Negative Targeting, IVT, Ad Fraud Prevention, Measure Ad Performance, security, and other Business Purposes on WBD Properties except as limited by the Rules. If applicable, Company will comply with the following:
      1. US State Privacy. If Company or its vendors or partners has signed the IAB Privacy’s Multi-State Privacy Agreement available at https://www.iabprivacy.com/# (“MSPA”), the terms in this DTA will supplement the terms in the MSPA for Covered Transactions (as defined in the MSPA) and will extend to transactions that are not covered under the MSPA. Additionally, the parties shall work together in good faith to design and implement a solution so that Company will support the technical receipt of data deletion requests as required by WBD.
      2. EEA/UK Privacy. If supporting Relevant Purposes in the European Economic Area and/or the United Kingdom, Company and its vendors and partners has implemented and supports IAB Europe's latest available version of the Transparency and Consent Framework (“TCF”) available at: https://iabeurope.eu/transparency-consent-framework/. Company and its vendors and partners will restrict its use of WBD Information to align with applicable consent preferences. Company, its vendors and partners will comply with all current TCF policies, terms and conditions, technical specifications, and other supporting resources available at: https://iabeurope.eu/tcf-supporting-resources/. Company, its vendors or its partners will not modify GPP or TC strings generated by WBD or its vendors or partners.
6. INDEMNITY
    1. Company will indemnify, defend (at WBD's option), and hold harmless WBD against all allegations, actions, claims, suits, Processing, judgements, liability, damages, settlements, demands, fines, or expenses related to or arising out of Company's breach of this DTA.