Digitary Services
Data Protection Addendum

Effective date: 15th June 2023

This Data Protection Addendum is between Framework Computing Consultants T/A Digitary Digitary (referred to herein as “Digitary” or “Service Provider”) and the Digitary Member identified on the Order Form for the purchase of certain Digitary Services between the parties hereto (the “Agreement”), to which this Addendum is incorporated (referred to herein as the “Data Controller” or “Member”) and is effective as of the order from date (the “DPA”). The terms of this DPA are hereby incorporated by reference into the terms of the Agreement (defined below).

This DPA shall apply and govern the processing of Personal Data solely to the extent that: 1) Digitary is a data processor or service provider under the terms of applicable data protection law (as defined below); 2) Data Controller is subject to the applicable data protection law; and 3) Digitary performs processing of Personal Data under the Agreement.

1. Definitions. The following terms in this DPA shall have the following meanings:

1. “applicable data protection law” means all applicable laws, regulations, and other legal requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the processing of Personal Data, including without limitation, to the extent applicable, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and any amendments thereto (“CCPA”); the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the Swiss Federal Data Protection Act; and the United Kingdom Data Protection Act of 2018 (“UK Privacy Act”).
2. “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this DPA, provided that this DPA applies to only to personal information that Service Provider receives or accesses in connection with providing the Services to Member and shall not apply to personal information that Service Provider processes independent of the Services Agreement.
3. “data controller” refers to the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data, and for purposes of this DPA is identified above as the Data Controller;
4. “data processor” refers to the natural or legal person which, alone or jointly with others, processes personal data on behalf of the data controller, and for the purposes of this DPA is Digitary;
5. “data subject” shall have the meaning given to it in the applicable data protection laws;
6. “technical and organizational security measures” means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
7. “Personal Data” includes “personal data,” “personal information,” and “personally identifiable information,” and such terms have the same meaning as defined in applicable data protection law.
8. “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to Personal Data.
9. “processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
10. “sub-processor” means any data processor affiliate or subcontractor engaged by Digitary for the processing of Personal Data.
11. “EU Standard Contractual Clauses” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
12. “UK Standard Contractual Clauses” means the International Data Transfer DPA to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as set forth in “Data Transfers” below.

2. Nature and Purpose of the Processing. The processing is being conducted solely for the purpose set forth in the Agreement for the applicable Digitary services detailed in the Agreement (the “Services”) and for the term of the Agreement, which may include fulfilling requests for transcripts and other credential-types and admissions-related documents, including the processing of orders to have a specific document or record sent from a record holder to a record recipient. Digitary has no obligation to monitor the compliance of Member’s use of the Services with applicable data protection law. The terms and conditions of the Agreement, including this DPA, along with Member’s configuration of any settings or options in the Services constitute Member’s complete and final instructions to Digitary regarding the processing of Personal Data, including for purposes of the Standard Contractual Clauses. Without limiting the foregoing:

1. Digitary will not process the Personal Data in a manner inconsistent with Digitary’s role as Member’s “Service Provider”.
2. Digitary will not “sell” or “share” the Personal Data in a manner inconsistent with Digitary’s role as Member’s “Service Provider”.

3. Data Controllers. Data Controller provides a limited amount of its client and/or student user data to Digitary. The parties agree that all processing of Personal Data by Digitary and/or any sub-processor will be performed only pursuant to the instructions from Data Controller as set forth in the Agreement. Digitary understands and agrees that the Data Controller has the rights and obligations as set forth in the applicable clauses of the applicable data protection law. Digitary shall promptly inform the Data Controller if, in Digitary’s opinion, an instruction from the Data Controller regarding Personal Data infringes applicable data protection law. Additionally, Digitary shall promptly notify the Data Controller if Digitary determines that it can no longer meet its obligations under applicable data protection law.

4. Obligations of Digitary. Digitary, to the extent it is a data processor under the terms of this DPA and applicable data protection law, agrees:

1. to process Personal Data only under the authority of and on behalf of the written instructions of Data Controller, including as set forth in the Agreement, unless required by law to act without or against such instructions, in such case Digitary shall inform the Data Controller immediately of such legal requirements unless Digitary is legally prohibited from doing so;
2. to ensure that any persons authorized to process Personal Data have confidentiality obligations or are under appropriate fiduciary obligations of confidentiality;
3. that it has implemented and maintains commercially appropriate technical and organisational security measures appropriate for the nature, scope and type of processing being performed in compliance with the applicable data protection law, and that it has reviewed the technical and organisational security measures of sub-processors (if any);
4. to notify the Data Controller within 48 hours of confirmed knowledge by Digitary of any Personal Data Breach;
5. to the extent Data Controller, in its use of the Services, does not have the ability to address a request regarding Personal Data directly, to provide reasonable assistance to Data Controller to allow it to respond to any request by an data subject seeking to exercise any of his or her rights under applicable data protection law (including rights of access, correction, objection, and erasure, as applicable);
6. to provide reasonable assistance to Data Controller in complying with any legally binding requests related to Personal Data by a law enforcement authority unless otherwise prohibited, including in responding to a Personal Data Breach and complying with any applicable data breach notification laws in connection with a Personal Data Breach and to assist Data Controller with data protection impact assessments and consultations, when and if required;
7. With undue delay after discovering a Personal Data Breach has occurred, inform the Data Controller of the Personal Data Breach and, to the extent available of:
  1. The nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data records concerned;
  2. The likely consequences of the Personal Data Breach; and
  3. Measures taken or proposed to be taken by Digitary to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
8. to abide by and cooperate with the requests of the supervisory authority with regard to the processing of Personal Data;
9. to submit its data processing activities for audit by the Data Controller as required to reasonably demonstrate compliance with its obligations under applicable data protection law no more than once annually, provided that Data Controller or any third-party representative is bound by obligations of confidentiality for such audit information. For clarity, such audits or inspections are limited to Digitary’s processing of Personal Data subject to the applicable data protection law on behalf of Data Controller only, not any other aspect of Digitary’s business or information systems or other members. Data Controller shall provide Digitary with sixty (60) days prior written notice to an audit, shall conduct an audit in a manner that will result in minimal disruption to Digitary’s business operations, and shall not be entitled to receive data or information of other members or any other confidential information that is not directly relevant for the authorized purposes of the audit. This provision does not grant Data Controller any right to conduct an on-site audit of Digitary’s premises. Data Controller shall reimburse Digitary for any reasonable time expended for an audit at the Digitary’s then-current rates, which shall be made available to Data Controller upon request.; and
10. upon completion of the Services and request by the Data Controller, to destroy or return all Personal Data processed on behalf of Data Controller, using industry standard methods for data destruction appropriate to the type of Personal Data provided, except to the extent that applicable legal requirements require storage of the Personal Data, in which case Digitary will (a) to the extent legally permitted, inform Data Controller of the legal requirement and of the particular Personal Data records that Digitary intends to retain, (b) not Process the Personal Data for any purpose other than compliance with the legal requirement, and (c) securely destroy such Personal Data as soon as practicable.

5. Sub-processors. Data Controller acknowledges and agrees that Digitary may engage sub-processors for the processing of Personal Data in compliance with applicable law to provide the Services. Digitary’s current list of sub-processors is available at Schedule A. Data Controller hereby approves of such sub-processors. Digitary will impose contractual obligations on any sub-processors that are substantially the same as the data protection obligations set forth in this DPA and will remain liable to the Data Controller for sub-processors performance of such data protection obligations. Ten (10) days prior to a new sub-processor’s proposed Processing of Personal Data, Digitary will notify the Data Controller of the identity of the proposed sub-processor. If the Data Controller provides Digitary reasonable objection to a sub-processor due to a reasonable belief that the sub-processor cannot provide the level of protection required under this DPA, the parties will work in good faith to find an appropriate solution, which may include (i) Digitary providing the Data Controller with records or information that provide reasonable assurance that the sub-processor will provide such level of protection or (ii) providing available alternatives to change the services or receive the services from an alternate sub-processor.

6. Obligations of the Data Controller. The Data Controller agrees and represents and warrants to Digitary the following:

1. that it has obtained all necessary rights and consents under applicable data protection law as required for Digitary to perform the Services under the Agreement or otherwise process any Personal Data as contemplated in this DPA
2. The Data Controller will not instruct Digitary to process Personal Data in violation of applicable law. In the event of a change in the legislation is likely to have a substantial adverse effect on the warranties and obligations provided by this DPA, Data Controller will promptly notify Digitary of such change, in which case Digitary is entitled to suspend the processing of the relevant sub-processors; and
3. to implement and maintain data protection policies that are compliant with the applicable data protection law.

7. Data Transfers To the extent that the Services involve a transfer of Personal Data from Data Controller in the United Kingdom, EEA or Switzerland to Digitary systems or personnel processing data outside such jurisdiction, the Parties agree:

1. With respect to Personal Data transferred from the EEA and Switzerland, the EU Standard Contractual Clauses form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and they will be deemed completed as follows:
  1. Data Controllers acts as a controller and Digitary acts as Processor with respect to the Personal Data subject to the EU Standard Contractual Clauses, and its Module 2 applies.
  2. Clause 7 (the optional docking clause) is included.
  3. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is set forth as indicated in Schedule A of this DPA and Digitary shall update that list and provide notice to the Data Controller at least ten (10) days in advance of any intended additions or replacements of sub-processors.
  4. Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
  5. Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland.
  6. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of Ireland.
  7. Annexes I and II of the EU Standard Contractual Clauses are set forth in Schedule B and C of the DPA.
  8. Annex III of the EU Standard Contractual Clauses (List of sub-processors) is set forth in Schedule A.
  9. By entering into this DPA, the Parties are deemed to be signing the EU SCCs and its applicable Tables and Appendix Information
2. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
  1. Table 1 of the UK SCCs:
    1. The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in the Agreement.
    2. The Key Contact shall be the contacts set forth in the Agreement.
  2. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
  3. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Agreement and Schedule B.
  4. Table 4 of the UK SCCs: Digitary may end this DPA as set out in Section 19 of the UK SCCs.
  5. By entering into this DPA, the Parties are deemed to be signing the UK SCCs and its applicable Tables and Appendix Information.

8. Liability

1. The parties agree that nothing herein in this DPA or the Agreement relieves the Member of its respective responsibilities and liabilities under applicable data protection law.
2. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
3. Member acknowledges that Digitary is reliant on Member for direction as to the extent to which Digitary is entitled to process Personal Data on behalf of Member in performance of the Services. Consequently, Digitary will not be liable under the Agreement for any claim brought by a data subject arising from any action or omission by Digitary, to the extent that such action or omission resulted from Member’s instructions or from Member’s failure to comply with its obligations under applicable data protection law. The parties agree that the liability of Digitary shall be limited to its own processing operations under this DPA and the Agreement. The parties agree that Digitary will not be liable for any damages arising out of or related to violations of applicable data protection law by the Data Controller related to Data Controller’s acts or omissions not related to the Services.

9. Ratification. All other terms and conditions in the Agreement are ratified and remain in full force and effect. This DPA is an addendum to the Agreement and shall control and prevail to the extent of any conflict with the Agreement.

Schedule A

Subprocessors

To support delivery of our Services, Digitary may engage and use data processors with access to certain Customer Data (each, a “Subprocessor”). This page provides important information about the identity, location and role of each Subprocessor.

Digitary’s list of sub processors will be published at www.digitary.net/subprocessors.

Schedule B

DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred:

- End users of Data Controller such as students

Categories of personal data transferred:

- contact information, transcript data, credential data, enrollment verification, attendance records and other educational or identity information

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

- On a continuous basis for as long as Data Controller is engaging Digitary to provide the Services.

Nature of the processing:

- The nature of the Processing is as forth in the Agreement and any relevant order forms.

Purpose(s) of the data transfer and further processing:

- The purposes for the data transfer are to facilitate Digitary’s provision of Services pursuant to the Agreement and any relevant order forms.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

- The data will be retained for the time period needed to accomplish the purposes of Processing, unless otherwise required by applicable law.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

- Transfers to sub-processors are for the same purposes as transfers to the processor.

Schedule C

Security Requirements

The Parties will implement and maintain the following administrative, technical, physical, and organizational security measures for the Processing of Personal Data:

Parties’ Information Security Program includes specific security requirements for its personnel and all subprocessors or agents who have access to Personal Data (“Data Personnel”). The security program covers the following areas:

1. Information Security Policies and Standards. The Parties will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data.
2. Physical Security. The Parties will maintain commercially reasonable security systems at all Party sites at which an information system that uses or stores Personal Data is located (“Processing Locations”) that include reasonably restricting access to such Processing Locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security. The Parties will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
4. Network Security. The Parties maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control. The Parties agree that: (1) only authorized staff can grant, modify or revoke access to an information system that Processes Personal Data; and (2) the Parties will implement commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. The Parties protect Personal Data from malicious code and will install and maintain anti-virus and malware protection software on all system endpoints that handle Personal Data and will maintain applicable controls on web servers.
7. Personnel. The Parties have implemented and maintains a security awareness program to train employees about their security obligations. Data Personnel follow established security policies and procedures. Disciplinary process is applied if Data Personnel fail to adhere to relevant policies and procedures.
8. Business Continuity. The Parties implement disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. The Parties also adjust the Information Security Program in light of new laws and circumstances, including as business and Processing change.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__sharethis_cookie_test__	session	ShareThis sets this cookie to track which pages are being shared and by whom.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	This is a cookie from LinkedIn and is used for storing visitors' consent regarding the use of cookies for non-essential purposes
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
liveagent_oref	1 year	This cookie is set by LiveAgent to allow Live Chat assistance for existing customers.
liveagent_ptid	1 year	LiveAgent sets this cookie to link previous chats and transcripts from a single visitor.
liveagent_sid	session	LiveAgent sets this cookie to capture a unique pseudonymous ID when a user requests a chat during an active session.
liveagent_vc	1 year	This cookie is set by LiveAgent to allow Live Chat assistance for existing customers.
NextPage	past	This cookie tracks the previous page to allow users to go back and forth between pages using the user interface buttons.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
X-Salesforce-CHAT	session	This cookie is set by LiveAgent to allow Live Chat assistance for existing customers.

Cookie	Duration	Description
aka_debug	session	Vimeo sets this cookie which is essential for the website to play video functionality.
BIGipServer*	session	Marketo sets this cookie to collect information about the user's online activity and build a profile about their interests to provide advertisements relevant to the user.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-essential	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category “Necessary”.
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
STYXKEY_api_token	1 hour	AWS Cloud API
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
webinarVideo	never	Recursive support screen share session tracking cookie

Cookie	Duration	Description
__jid	30 minutes	Cookie used to remember the user's Disqus login credentials across websites that use Disqus.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
_clck	1 year	Persists the Clarity User ID and preferences, unique to that site, on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_clsk	session	Connects multiple page views by a user into a single Clarity session recording.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_N0Q7GW0J6L	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_335339_11	2 hours	Set by Google to distinguish users.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gat_UA-335339-11	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	No description
ANONCHK	10 minutes	The Microsoft Clarity ANONCHK cookie, indicates whether MUID is transferred to ANID, which is a cookie used for advertising. Clarity doesn't use ANID and so this is always set to 0 indicating not for advertising.
CLID	1 year	Used by Microsoft Clarity. The cookie is set by embedded Microsoft Clarity scripts. The purpose of this cookie is for heatmap and session recording.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
disqus_unique	1 year	Set by Disqus to record internal statistics for anonymous visitors.
loglevel	never	Collects data on visitor interaction with the website's video-content - This data is used to make the website's video-content more relevant towards the visitor.
SM	session	This Microsoft Clarity cookie is used in synchronizing the MUID across Microsoft domains.
SRM_B	1 year 24 days	Used by Microsoft Clarity as a unique ID for visitors.
ti_	2 years	This cookie is set by Triblio to track the way a visitor uses the website and to monitor the performance of marketing campaigns.
VISITOR_PRIVACY_METADATA	5 months 27 days	YouTube meta data

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
bito	1 year 1 month	This cookie is set by Beeswax for advertisement purposes.
bitoIsSecure	1 year 1 month	Beeswax sets this cookie for targeting and advertising. The cookie is used to serve the user with relevant advertisements based on real time bidding.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
NID	6 months	Google sets the cookie for advertising purposes; to limit the number of times the user sees an ad, to unwanted mute ads, and to measure the effectiveness of ads.
S	1 hour	Used by Yahoo to provide ads, content or analytics.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
tuuid	2 years	The tuuid cookie, set by Demandbase via BidSwitch, stores an unique ID to determine what adverts the users have seen if they have visited any of the advertiser's websites. The information is used to decide when and how often users will see a certain banner.
tuuid_lu	2 years	This cookie, set by Demandbase via BidSwitch, stores a unique ID to determine what adverts the users have seen while visiting an advertiser's website. This information is then used to understand when and how often users will see a certain banner.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Digitary Services Data Protection Addendum

Schedule A

Schedule B

Schedule C

Digitary Services
Data Protection Addendum