This Data Processing Agreement (the “DPA”) forms part of the Service Agreement, MSA, and Terms Acceptance between Ad Collab LLC (“Ad Collab,” acting as Processor / Service Provider) and the Client identified in the Service Agreement (acting as Controller / Business). Capitalized terms not defined in this DPA have the meaning given in the MSA or Terms Acceptance.

This DPA governs the processing of Personal Data that Ad Collab performs on behalf of Client in providing the Services. It does not govern Personal Data that Ad Collab processes as an independent Controller (e.g., Client’s own business contact information processed by Ad Collab for relationship management; site-visitor data on adcollab.agency, governed by Ad Collab’s Privacy Policy at https://adcollab.agency/legal/privacy-v1).

1. Definitions

• “Applicable Data Protection Law” means all laws and regulations governing the processing of Personal Data applicable to Ad Collab’s performance of the Services, including (a) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”) and the regulations promulgated thereunder by the California Privacy Protection Agency, (b) the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), (c) the UK GDPR and Data Protection Act 2018, (d) the Swiss Federal Act on Data Protection, and (e) any other data protection legislation applicable to either Party’s processing of Personal Data under the Agreement.
• “Business” and “Service Provider” have the meanings given in CCPA/CPRA. Client is the Business; Ad Collab is the Service Provider.
• “Client Personal Data” means Personal Data that Ad Collab processes on behalf of Client to perform the Services, as described in Annex A.
• “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and similar terms have the meanings given in Applicable Data Protection Law (CCPA/CPRA “Personal Information” is included within “Personal Data” as used here).
• “Sensitive Personal Information” has the meaning given in CCPA/CPRA at Cal. Civ. Code §1798.140(ae) and includes “special categories of personal data” under GDPR Art. 9.
• “Sub-processor” means any third party engaged by Ad Collab to process Client Personal Data.
• “Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data.

2. Scope and Roles

2.1. Roles

• Client is the Controller / Business of Client Personal Data.
• Ad Collab is the Processor / Service Provider, processing Client Personal Data only on Client’s documented instructions.

2.2. Nature and Purpose of Processing

Ad Collab processes Client Personal Data solely to provide the digital advertising management Services described in the SOW, including: delivering ads, measuring ad performance, optimizing campaigns, producing reports, processing customer match lists where Client uploads them, and maintaining Portal access for Client’s authorized personnel.

2.3. Annex A

Annex A (below) describes the categories of Client Personal Data processed, Data Subject categories, processing activities, duration, and retention. Annex A is the description required by GDPR Art. 28(3) and the equivalent CCPA/CPRA service-provider purpose specification.

2.4. Client Instructions

Client’s documented instructions are: (a) the Service Agreement, MSA, Terms Acceptance, SOW, and this DPA; and (b) any subsequent written instruction (including email) consistent with the Services. Ad Collab will not process Client Personal Data for any other purpose. If Ad Collab believes a Client instruction violates Applicable Data Protection Law, Ad Collab will inform Client and may suspend the affected processing pending resolution.

3. Ad Collab’s Obligations as Processor / Service Provider

3.1. Confidentiality

Ad Collab will ensure that any person authorized to process Client Personal Data is under a written or statutory obligation of confidentiality.

3.2. Security Measures

Ad Collab will implement appropriate technical and organizational measures to protect Client Personal Data against unauthorized or unlawful processing, accidental loss, destruction, alteration, or damage, taking into account the state of the art, costs of implementation, nature of processing, and risks to Data Subjects. Measures include, at minimum:

• Encryption in transit (TLS 1.2+) and at rest;
• Role-based access controls with least-privilege principles;
• Multi-factor authentication for administrative access;
• Regular backups with restricted access;
• Monitoring and logging of administrative access;
• Personnel training on data protection;
• Periodic review of the security posture and applicable threats;
• Vendor due diligence on Sub-processors.

3.3. Sub-processors

Ad Collab may engage Sub-processors to perform specific processing activities. Ad Collab:

• Maintains an up-to-date list of Sub-processors, attached as Annex B;
• Imposes data-protection obligations on Sub-processors no less protective than this DPA, by written contract;
• Will give Client at least 30 calendar days’ prior written notice of any intended addition or replacement of a Sub-processor that materially changes the categories in Annex B. Client may object on reasonable data-protection grounds; if the Parties cannot agree on a remediation, Client may terminate the affected portion of the Services without penalty;
• Remains liable for the acts and omissions of its Sub-processors as if performed by Ad Collab.

3.4. Data Subject Rights

Ad Collab will reasonably assist Client in responding to verifiable Data Subject requests under Applicable Data Protection Law (access, correction, deletion, portability, opt-out of sale or sharing, limit use of Sensitive Personal Information, objection, restriction). Ad Collab will promptly forward to Client any Data Subject request Ad Collab receives directly.

3.5. Assistance with Compliance

Ad Collab will reasonably assist Client with:

• Data Protection Impact Assessments (DPIAs) and CCPA/CPRA risk assessments where required;
• Consultations with supervisory authorities or the California Privacy Protection Agency;
• Notifications of Security Incidents to regulators or Data Subjects.

Material assistance beyond routine responses may be billed at Ad Collab’s standard hourly rate after notice to Client.

3.6. Security Incident Notification

Ad Collab will notify Client without undue delay and in any event within 48 hours after becoming aware of a Security Incident involving Client Personal Data. The notification will include, to the extent known: the nature of the incident; categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed to address the incident and mitigate harm. Ad Collab will provide updates as more information becomes available.

3.7. Deletion or Return of Data

On termination of the Services, Ad Collab will, at Client’s choice, delete or return all Client Personal Data within 60 calendar days, subject to: (a) legal retention requirements; (b) retention in routine backups, deleted on Ad Collab’s standard backup cycle; and (c) retention of the minimum records necessary to defend against future claims (such retained data remains subject to this DPA). Ad Collab will certify deletion in writing on request.

3.8. Records of Processing

Ad Collab will maintain records of its processing activities per Applicable Data Protection Law (GDPR Art. 30 where applicable) and make them available to Client on reasonable request.

3.9. CCPA/CPRA Service Provider Compliance — Mandatory Terms

To the extent Ad Collab processes Personal Information of California residents on behalf of Client, Ad Collab is a Service Provider under CCPA/CPRA and Cal. Civ. Code §1798.140(ag), and Ad Collab certifies that it understands and will comply with the following restrictions, which are required by §1798.140(ag)(1):

a. Purpose limitation. Ad Collab will not retain, use, or disclose Client Personal Data for any purpose other than the specific business purposes set forth in the Service Agreement, MSA, Terms Acceptance, SOW, and this DPA, including for Ad Collab’s own commercial purposes other than providing the Services. b. No sale or sharing. Ad Collab will not sell or share (as those terms are defined under CCPA/CPRA) Client Personal Data. c. No use outside the business relationship. Ad Collab will not retain, use, or disclose Client Personal Data outside the direct business relationship between Ad Collab and Client. d. No combination. Ad Collab will not combine Client Personal Data Ad Collab receives from or on behalf of Client with Personal Information that Ad Collab receives from or on behalf of any other person, or that Ad Collab collects from any independent interaction with a consumer, except as permitted by CCPA/CPRA regulations (e.g., for security, fraud prevention, or to perform the business purpose described in this DPA). e. Notification of inability to comply. If Ad Collab determines it can no longer meet its obligations under CCPA/CPRA, Ad Collab will notify Client. Client may, on receiving such notice, take reasonable and appropriate steps to stop and remediate the unauthorized use of Personal Information, including the right to direct Ad Collab to delete or return the Personal Information. f. Right to take steps to ensure compliance. Client may, on reasonable notice, take reasonable and appropriate steps to ensure Ad Collab uses Personal Information consistent with Client’s CCPA/CPRA obligations (e.g., audits per Section 5 of this DPA). g. Limit use of Sensitive Personal Information. Ad Collab will not use Sensitive Personal Information for any purpose other than the limited purposes permitted by CCPA/CPRA at Cal. Civ. Code §1798.121. h. Sub-processor flow-down. Ad Collab’s Sub-processors are bound by equivalent CCPA/CPRA Service Provider terms by written contract. Annex B identifies current Sub-processors. i. Data Subject rights assistance. Ad Collab will assist Client in responding to verifiable consumer requests under CCPA/CPRA (right to know, delete, correct, opt-out of sale or sharing, limit use of Sensitive Personal Information, and non-discrimination).

4. International Transfers

4.1. Ad Collab is U.S.-based

Ad Collab is located in the United States. Services are delivered primarily from the U.S.

4.2. Transfer Mechanisms

For transfers of Client Personal Data from the EEA, UK, or Switzerland to the United States or other third countries, the Parties rely on:

• Standard Contractual Clauses (SCCs) issued by the European Commission on 4 June 2021 (Module 2: Controller-to-Processor), which are hereby incorporated into this DPA where required. Annex A and Annex B serve as the SCC Annexes.
• For UK transfers: the UK International Data Transfer Addendum to the EU Commission SCCs issued by the UK Information Commissioner’s Office, incorporated where required.
• For Swiss transfers: the Swiss Federal Data Protection and Information Commissioner’s guidance on SCCs, applied where required.

4.3. Onward Transfers

Ad Collab will not transfer Client Personal Data to Sub-processors in third countries without an equivalent transfer mechanism (SCCs, adequacy decision, or another lawful transfer basis under Applicable Data Protection Law).

5. Audits

5.1. Right to Audit

Client may, on reasonable advance notice (at least 30 calendar days) and not more than once per calendar year, audit Ad Collab’s compliance with this DPA. Audits may be conducted by Client’s personnel or by an independent auditor under appropriate confidentiality obligations. More frequent audits are permitted following a Security Incident or where required by a supervisory authority.

5.2. Scope

Audits are limited to Ad Collab’s processing of Client Personal Data and are conducted during business hours in a manner that does not unreasonably disrupt Ad Collab’s operations.

5.3. Documentation in Lieu of On-Site

Ad Collab may satisfy audit rights by providing written responses to a reasonable audit questionnaire, summaries of security measures, third-party audit reports (e.g., SOC 2 reports of Sub-processors), penetration-test summaries, and certifications.

5.4. Costs

Each Party bears its own audit costs unless the audit reveals material non-compliance, in which case Ad Collab bears Client’s reasonable audit costs.

6. CCPA/CPRA Specific Provisions

6.1. Service Provider Status

Ad Collab is a Service Provider under CCPA/CPRA. The mandatory terms in §3.9 govern Ad Collab’s obligations.

6.2. Prohibited Uses

The prohibited uses in §3.9(a)–(d) and §3.9(g) are restated and apply.

6.3. Certification

Ad Collab certifies that it understands the prohibitions in §3.9 and §6.2 and will comply.

6.4. Consumer Rights Requests

Ad Collab will assist Client in responding to verifiable consumer requests including: right to know; right to delete; right to correct; right to opt-out of sale or sharing; right to limit use and disclosure of Sensitive Personal Information; right to non-discrimination; and right to data portability.

6.5. Authorized Sub-processors

Ad Collab’s Sub-processors listed in Annex B are bound by equivalent CCPA/CPRA Service Provider terms by written contract.

7. GDPR / UK GDPR Specific Provisions (Where Applicable)

7.1. Article 28 Compliance

Where GDPR or UK GDPR applies to processing of Client Personal Data, this DPA constitutes the data processing agreement required by Article 28(3). The Parties intend that the processor obligations in §§3.1–3.8 satisfy Articles 28(3)(a)–(h).

7.2. International Transfers

International transfer mechanisms are governed by §4.

7.3. Joint Controller Scenarios

Nothing in this DPA creates a joint-controller relationship. Where the Parties’ processing for a specific purpose would constitute joint controllership under GDPR Art. 26, the Parties will execute a separate joint-controller agreement.

8. Liability

Liability arising under this DPA is subject to the limitation of liability provisions in MSA §10. To the extent Applicable Data Protection Law provides direct remedies to Data Subjects or regulators that cannot be limited by contract, those remedies are not limited by the MSA’s cap (per MSA §10.3(f) and Cal. Civ. Code §1668).

9. Term and Termination

This DPA is effective as of the date the Service Agreement is signed and remains in effect for so long as Ad Collab processes Client Personal Data. Termination of the Service Agreement terminates this DPA, subject to Ad Collab’s surviving obligations in §3.7 (deletion/return), §3.2 (security of any retained data), §3.6 (notification of incidents discovered post-termination), and any obligations required by Applicable Data Protection Law to survive.

10. Conflict and Order of Precedence

If there is a conflict between this DPA and other agreements between the Parties, this DPA prevails with respect to the subject matter it addresses (data processing). The SCCs (where incorporated under §4.2) prevail over this DPA to the extent of any conflict regarding international transfers under EU/UK/Swiss law.

11. Updates to this DPA

Ad Collab may update this DPA from time to time to reflect changes in Applicable Data Protection Law, regulatory guidance, or business practices. Material updates require at least 30 calendar days’ advance notice (per Terms §8). Existing signed DPAs remain bound to the version executed until a new version is signed or, where this DPA is incorporated by reference into a Service Agreement, until the relevant Service Agreement is amended or re-executed.

Annex A — Description of Processing

A.1. Categories of Data Subjects

• Client’s website visitors and prospects
• Client’s existing customers (where Client uploads customer match lists for audience creation)
• Individuals whose data is collected via advertising platforms (Google Ads, Meta, TikTok, LinkedIn, etc.) in connection with Client’s campaigns
• Client’s authorized personnel accessing the Portal

A.2. Categories of Personal Data

• Contact identifiers: email addresses, phone numbers, hashed identifiers (where Client uploads customer match lists)
• Online identifiers: cookies, pixel IDs, device IDs, IP addresses (as collected by Client’s analytics and advertising pixels)
• Geolocation: coarse location (city, region) derived from IP
• Marketing data: ad impressions, clicks, conversions, attribution data
• Portal account data: Portal login credentials, session tokens, access logs
• Communications: emails and messages between Client’s authorized personnel and Ad Collab

A.3. Sensitive Personal Information / Special Categories

Ad Collab does not knowingly process Sensitive Personal Information (as defined under CCPA/CPRA at Cal. Civ. Code §1798.140(ae)) or Special Categories of Personal Data (as defined under GDPR Art. 9) on behalf of Client. Client agrees not to direct Ad Collab to process such information through the Services without prior written agreement that includes additional safeguards (and Client acknowledges that some advertising verticals — e.g., health, financial, immigration-status — may inherently involve Sensitive Personal Information and will require a separate addendum).

A.4. Nature of Processing

• Collection (via Client’s pixels, analytics, advertising-platform integrations, and customer-list uploads from Client)
• Storage (in Supabase database, Client’s advertising-platform accounts, and the Portal)
• Analysis (for campaign optimization and reporting)
• Disclosure (to advertising platforms acting as Client’s vendors)
• Erasure (per Client instructions or retention policies)

A.5. Purpose of Processing

To perform the digital advertising management Services described in the SOW, including ad delivery, audience creation and targeting, measurement, optimization, and reporting.

A.6. Duration

For the duration of the Service Agreement plus the retention period specified in §3.7 and Client’s own retention policies as applicable.

A.7. Frequency

Continuous during the term of the Service Agreement.

Annex B — Sub-processors

This Annex lists Ad Collab’s current Sub-processors. Ad Collab may update this list by written notice to Client (per §3.3 of this DPA and Terms §3.5).

Last updated: 2026-04-27.

Annex C — Standard Contractual Clauses (SCCs)

Where applicable (i.e., international transfers of Client Personal Data from the EEA, UK, or Switzerland): the Standard Contractual Clauses issued by the European Commission on 4 June 2021 (Module 2: Controller-to-Processor) are incorporated by reference. This DPA and its Annexes serve as the required SCC Annexes.

• Module selected: Module Two (Controller to Processor)
• Clause 7 — Docking clause: Not applicable (no additional parties).
• Clause 9(a) — Sub-processors: Option 2 (general authorization). Ad Collab will inform Client of Sub-processor changes as described in §3.3.
• Clause 11(a) — Redress: The optional independent dispute-resolution body is not selected.
• Clause 17 — Governing law: Republic of Ireland (or substitute applicable EU member-state law if required by a supervisory authority).
• Clause 18 — Forum: Republic of Ireland (or substitute applicable member-state).
• UK International Data Transfer Addendum: Incorporated where UK transfers are involved; completes the SCCs for UK-specific terms.

Parties may execute the SCCs as a standalone signed document if a counterparty or regulator requires; this DPA serves as execution in the absence of that request.

End of DPA v1.1.