Master services agreement

EXHIBIT A

1. 
   is the majority owner of all URLs or comScore reported entities listed below (collectively, the “Company entities”)
   
2. 
   enjoys a legitimate business relationship with Tremor Video, Inc. (“Tremor Video”) where Tremor Video is able to serve media units to the Company entities, and
   
3. 
   authorizes that all Company entities can be a part of a Custom Entity requested by Tremor Video in comScore Inc. syndicated audience measurement reports.
   

I understand that acceptance of this letter by comScore imposes no legal liability whatsoever on comScore for damages, whether actual, incidental or consequential, relating to the maintenance or reporting of the Company entities. I understand that Company is fully responsible for timely notification to comScore of any updates to the Company entities, including, but not limited to, changes in ownership of any of the Company entities.

________________________ ________________________

Signature Name

________________________ ________________________

Title Company

________________________

Date

EXHIBIT B

PUBLISHER ADVERTISING RESTRICTIONS

.

Advertiser Block List
Activision

Activision Blizzard

Anchor Bay Entertainment

Blizzard Entertainment

Caesar's Entertainment

Capcom U.S.A. Inc.

DISNEY INTERACTIVE MEDIA GROUP (DIMG)

EA Games

Google (excluding advertising related to the following Google products:  Play, Search, Nexus, Now, Apps, Maps, Android OS)

Konami of America, Inc.

Microsoft (excluding advertising related to the following Microsoft products: Internet Explorer, Outlook SkyDrive, MSN, Azure, IT Cloud

Nintendo

Nintendo Wii

Sony and Sony Pictures

Sony PlayStation

Sony Online Entertainment

Sony Network Entertainment

Sony Pictures

Sony Entertainment

Sony Pictures Home Entertainment

Summit Entertainment

Summit Entertainment, LLC

Ubisoft

2K games
Category Block List

Gambling: May not depict actual money; may link to a site but site may not have actual gambling

1. 
   PERSONAL DATA PRIVACY
   

1. 
   Definition – For purposes of this Agreement, “Personal Data” means individually identifiable information from or about an individual including, but not limited to, (i) social security number; (ii) credit or debit card information, including card number, expiration date and data stored on the magnetic strip of a credit or debit card; (iii) financial account information, including the ABA routing number, bank account number and retirement account number; (iv) driver’s license, passport, or taxpayer, military or state identification number; (v) medical, health or disability information, including insurance policy numbers, (vi) passwords, fingerprints or biometric data, or (vii) other data about an individual, including first and last name; home or other physical address, including street name and name of city or town; email address or other online contact information, such as an instant messaging user identifier or a screen name, that reveals an individual’s email address; and telephone number.
   
2. 
   Personal Data Usage – To the extent that Publisher provides to Tremor, or Tremor otherwise accesses, Personal Data about Publisher’s employees, customers or other individuals in connection with this Agreement, (i) Tremor shall only use Personal Data for the purposes of fulfilling its obligations under this Agreement, and Tremor will not disclose or otherwise process such Personal Data except upon Publisher’s instructions in writing; (ii) Tremor will notify Publisher in writing and obtain Publisher’s consent before sharing any Personal Data with any government authorities or other third parties; (iii) comply with relevant data privacy laws, and (iv) Tremor agrees to adhere to additional mutually agreed to contractual terms and conditions related to Personal Data as Publisher may require in writing that Publisher deems necessary, in its sole discretion, to address applicable data protection, privacy, or information security laws or requirements.
   
3. 
   Unauthorized Disclosure – In the event that (i) any Personal Data is disclosed by Tremor (including its agents or subcontractors), in violation of this Agreement or applicable laws pertaining to privacy or data security, or (ii) Tremor (including its agents or subcontractors) discovers, is notified of, or suspects that unauthorized access, acquisition, disclosure or use of Personal Data has occurred (“Privacy Incident”), Tremor shall notify Publisher promptly in writing of any such Privacy Incident. Tremor shall cooperate fully in the investigation of the Privacy Incident.
   
4. 
   Remediation – To the extent that a Privacy Incident gives rise to a need, in Publisher’s sole judgment, to (i) provide notification to public authorities, individuals or other persons, or (ii) undertake other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries (each of the foregoing a “Remedial Action”)), at Publisher’s request, Tremor shall, at Tremor’s cost, undertake such Remedial Actions. The timing, content and manner of effectuating any notices shall be determined by Publisher in its sole discretion.
   

2. 
   INFORMATION SECURITY
   

(1) Physical Security and Access Control – Safeguards to (i) maintain all systems hosting Publisher Personal Data and/or providing services on behalf of Publisher in a physically secure environment that provides an unbroken barrier to unauthorized access, (ii) restrict access to physical locations containing Personal Data, such as buildings, computer facilities, and records storage facilities, only to authorized individuals, and (iii) detect and respond to any unauthorized access that may occur.

(2) Physical Security for Media – Appropriate procedures and measures to prevent the unauthorized viewing, copying, alteration or removal of, all media containing Personal Data, wherever located.

(3) Media Destruction – Appropriate procedures and measures to destroy (subject to applicable record retention requirements) removable media containing Personal Data when no longer used or, alternatively, to render Personal Data on such removable media unintelligible and not capable of reconstruction by any technical means before re-use of such removable media is allowed.

(4) Environmental Hazards – Measures to protect against destruction, loss, or damage of Personal Data or information relating thereto due to potential environmental hazards, such as fire or water damage or technological failures, as well as uninterruptible power supply (UPS) to ensure constant and steady supply of electricity.
(b) Technical Security

(1) Access Controls on Information Systems – Appropriate procedures and measures to control access to all systems hosting Personal Data and/or providing services on behalf of Publisher (“Systems”) through the use of physical and logical access control systems, grant access only to authorized individuals and, based on the principle of least privileges, prevent unauthorized persons from gaining access to Personal Data, appropriately limit and control the scope of access granted to any authorized person, and document all relevant access events, including:

(i) Access Rights Policies – Policies and procedures regarding the granting of access rights to Personal Data to permit only the appropriate personnel to create, modify or cancel the rights of access of Tremor’s employees, agents and subcontractors. Such policies and procedures must ensure that only designated information asset owners and their delegates may authorize and grant access to Personal Data. Systems or applications that can be used to access Personal Data must have strong passwords. On a quarterly basis, Tremor shall conduct reviews to ensure compliance with this Section (b)(1)(i).

(ii) Authorization Procedures for Persons Entitled Access – Appropriate procedures to establish and configure authorization profiles in order to enable personnel to have access to Personal Data to the extent that they need to know the data to perform their duties, and to enable access to more sensitive classifications of Personal Data only within the scope and to the extent covered by their respective access permission.

(iii) Authentication Credentials and Procedures – Appropriate procedures for authentication of authorized personnel, including use of Publisher approved authentication to access any Personal Data on Publisher’s networks or other systems.

(iv) Remote Access – Appropriate procedures and measures to prevent personnel performing remote system support from accessing Personal Data without end-user permission and presence and/or accountability during remote access sessions and subject to all applicable confidentiality obligations.

(v) Access Control via Internet – Appropriate procedures and measures to prevent the Systems or Personal Data from being used by unauthorized persons by means of data transmission equipment via the Internet or otherwise. No "administration" consoles for web server, application and database software will be accessible from the Internet. Any servers that can be used to transmit Personal Data to the Internet shall be configured with firewalls to only expose port 80 and 443 to the Internet.

(vi) Internet-Based Communications/Transmissions – Appropriate procedures and measures to ensure security and integrity of Internet-based email and other communications, including use of encryption, time stamp and other techniques for transmission of sensitive Personal Data or other communications over the Internet. Only secure protocols such as SSL or SFTP may be used to transfer Personal Data on to the web servers and active monitoring of this shall be done to ensure only legitimate uploads and downloads.

(vii) Access Monitoring – Appropriate procedures and measures to monitor all access to Systems and Personal Data, including protocol analyzers for applications, network and servers, only by authorized Tremor personnel, and to track additions, alterations, and deletions of Personal Data.

(viii) Intrusion Detection/Prevention and Malware – Appropriate and up-to-date procedures and safeguards to protect Personal Data against the risk of intrusion and the effects of viruses, Trojan horses, worms, and other forms of malware, where appropriate. Tremor must make all reasonable attempts to ensure that basic DOS and DDOS measures are in place. Tremor must implement active intrusion monitoring systems and monitor logs on a 24*7*365 basis alerting Publisher promptly of any breach detected affecting Personal Data.

(ix) Program Patching and Vulnerability Remediation – Appropriate procedures and measures to regularly update and patch operating systems, applications and databases to eliminate vulnerabilities and remove flaws that could otherwise facilitate security breaches. Security patches for high-level vulnerabilities (e.g. vulnerabilities that can result in compromise of server, loss of personal information, brand defacement) must be applied within 24 hours to 10 business days, depending upon the particular operating system, application or database,; security patches for non high-level vulnerabilities (e.g. invalid server SSL certificate, server or application misconfigurations) must be applied within a target of 10 business days; and all operating system, web server, and application software security patches must be installed within a target of 10 business days of patch release. Tremor must appropriately remediate any known vulnerabilities within a timely manner. If Tremor is unable to remediate vulnerabilities in a timely manner, Tremor must isolate any systems, applications, and databases from the Internet. Websites or systems that have direct or indirect access to the Internet shall not be opened to the Internet until such vulnerabilities have been fixed.

(2) Additional Application and Website Coding, Security, and Testing Requirements – If any application coding will be performed by Tremor in connection with any application that processes or stores (or might allow access to) any Personal Data:

(i) Tremor must write code that appropriately addresses known security risks. At a minimum, Tremor must comply with any applicable published Open Web Application Security project ("OWASP") security guidelines and must address the current OWASP top ten web application security risks.

(ii) When new code is deployed or existing code modified, Tremor must take all reasonable steps to ensure that the code is secure, including appropriate testing from a security vulnerability perspective, prior to going live on the Internet. Full regression testing must also be conducted to ensure that security remains strong across the entire site.

(iii) Captcha technology must be used when designing any website registration page to prevent ‘robot scripts’ from registering false users.

(iv) Any website with a login and password must be designed using strong passwords. All website "reset" password and "forgotten" password features must be designed to use an industry standard secure mechanism to reset user passwords.

(v) Any servers that host Personal Data or websites that provide an interface to access Personal Data must be security hardened using industry best practices, and all operating systems and software configurations (including applications and databases must conform to best industry security practices for such applications and databases).

(3) Data Management Controls

(i) Data Input Control – Appropriate procedures to enable Tremor to check and establish whether, when, and by whom Personal Data may have been input into the Systems, or otherwise modified, or removed.

(ii) Data Processing Control – Appropriate procedures and measures intended to limit the processing of Personal Data to the uses permitted under the Agreement.

(iii) Access to Production Data – Appropriate procedures and measures to limit access to production Personal Data to authorized persons requiring such access to perform contracted services and to prevent other access to such Personal Data, except temporary access to production Personal Data to support specific business need.

(iv) Logs – All web server, application and database logs for systems or applications that process or store Personal Data must log sufficient data and information to recreate unauthorized activity. In the event of a breach, such logs must enable the tracing of unauthorized activity from the intrusion point through to table level access in a database. All such logs must be kept for a minimum of 1 year.

(v) Data Encryption – Appropriate procedures and measures to protect Personal Data so that it cannot be read, copied, changed or deleted by unauthorized persons while in storage and while it is being transferred electronically or transferred or saved on data media, including data encryption in storage on portable devices where appropriate in light of the sensitivity of the Personal Data. Any encryption schemes used shall be consistent with the strongest available industry best practices.

(vi) Backup, Retention, and Recovery – Appropriate backup and recovery procedures and measures to safeguard Personal Data from events resulting in the loss of data or in system unavailability from any cause, including but not limited to implementing and testing at least annually an appropriate business continuity and disaster recovery plan (including a data backup plan).

(vii) Secure Disposal – policies and procedures regarding the disposal of Personal Data, and tangible property containing Personal Data, taking into account available technology so that Personal Data cannot be practicably read and reconstructed.
(c) Organizational Security

(1) Responsibility – Assignment of responsibility for information security management. An information security group shall maintain a list of individuals authorized to access Personal Data, and shall be responsible for approving authorized access privileges to users, and documenting access security procedures. The information security group shall monitor and periodically review access levels, logging reports and access violation reports to detect inappropriate Systems activity and to facilitate the timely investigation of suspicious or unauthorized activity, and periodically conduct access reviews to verify that access assignments are appropriate. The information security group shall ensure that they conduct vulnerability assessments (infrastructure and application layer) at least once a month and also allow Publisher’s information security staff to scan bi-weekly for vulnerabilities. Upon Publisher’s request, Tremor will provide the contact information for the information security group so they can be contacted 24*7*365 for support and security enquires. Tremor will fully co-operate with Publisher’s information security and investigations personnel should a breach occur and ensure that evidence is preserved in a forensically sound manner.

(2) Resources – Commitment of adequate personnel resources to information security.

(3) Confidentiality Agreements – Requirement that Tremor’s employees, agents, and subcontractors, and others with access to Personal Data, enter into signed confidentiality agreements and agree to use the systems to perform only authorized transactions in support of their job responsibilities.

(4) Qualification of Employees – Appropriate procedures and measures to ascertain the reliability, technical expertise, and personal integrity of all employees, agents, and subcontractors who have access to the information system or Personal Data.

(5) Obligations of Employees – Appropriate procedures and measures to verify that any employee, agent or contractor accessing the Personal Data knows his obligations and the consequences of any security breach.

(6) Controls on Employees – Employee background checks, where and to the extent permitted under applicable law, for employees with responsibilities for or access to Personal Data.

(7) Compliance with Laws – Tremor will fully comply with all data privacy laws in relation to the storage of personal information.

(8) Enforcement – Appropriate disciplinary procedures against individuals who access Personal Data without authorization, or who otherwise commit security breaches.
(d) Additional Safeguards

(1) Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes. Tremor shall also designate a security official responsible for the development, implementation and maintenance of all the safeguards in this Schedule.

(2) Testing – Tremor shall regularly test the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.

(3) Security Awareness and Training – a security awareness and training program for all applicable members of Tremor’s workforce (including management), which includes training on how to implement and comply with this Schedule.

(4) Adjust the Program – Tremor shall monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Tremor or the Personal Data, requirements of applicable work orders, and Tremor’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.

3. 
   SURVIVAL
   

All data privacy and security obligations shall survive any termination or expiration of the Agreement with respect to Personal Data.

1. Tremor shall, at its own expense, procure and maintain the following insurance coverage for the benefit and protection of Publisher and Tremor , which insurance coverage shall be maintained in full force and effect until all obligations under this Agreement are completed:

1.1 A Commercial General Liability Insurance Policy with a limit of not less than $2 million per occurrence and $2 million in the aggregate, including Contractual Liability.

1.2 Professional Liability to include MultiMedia Errors & Omissions Insurance with limits of not less than $1 million for each occurrence and $2 million in the aggregate.

(An Umbrella or Following Form Excess Liability Insurance Policy will be acceptable to achieve the liability limits required in clauses 1.1 and 1.2 above)

2. The policies referenced in the foregoing clauses 1.1 and 1.2 shall name Publisher, Inc., its parent(s), subsidiaries, licensees, successors, related and affiliated companies, and its officers, directors, employees, agents, representatives and assigns as an additional insured by endorsement and shall contain a Severability of Interest Clause. All of the above referenced policies shall be primary insurance in place and stead of any insurance maintained by Publisher. Tremor’s insurance companies shall be licensed to do business in the state(s) or country(ies) where services are to be performed for Publisher and will have an A.M. Best Guide Rating of at least A:VII or better. Tremor is solely responsible for all deductibles and/or self insured retentions under their policies.

3. Upon Publisher’s written request, Tremor agrees to deliver to Publisher upon execution of this Agreement Certificates of Insurance and endorsements evidencing the insurance coverage herein required. Each such Certificate of Insurance and endorsement shall be signed by an authorized agent or insurance underwriter of the applicable insurance company, shall provide that not less than thirty (30) days prior written notice of cancellation is to be given to Publisher prior to cancellation or non-renewal, and shall state that such insurance policies are primary and non-contributing to any insurance maintained by Publisher.