DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) forms a legally binding contract between You (“Customer” or “Controller”) and Aleph (“Processor”), applies to the extent Aleph processes Customer Personal Data on Your behalf when You are the Controller, and is incorporated into the Advertising Services Agreement, Insertion Order or other contract that the You and Aleph may have entered into (“Main Agreement”).
Definitions.
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Sensitive Personal Data”, “Processing”, “Consent”, “Personal Data Breach” and “Supervisory Authority” shall have the meaning given in the Applicable Data Protection Law. These terms shall also apply in the event Applicable Data Protection Law in the Data Subject’s, Aleph’s or Customer’s territory uses different terms than the terms listed here to convey the same essential concepts.
“Applicable Data Protection Law” means any and all applicable privacy and data protection laws and regulations, as may be amended or superseded from time to time, including the Jurisdiction-Specific Terms under Schedule D of this Addendum.
“Customer Personal Data” shall mean Personal Data of Data Subject(s) used for the purpose of advertising on a Platform. This includes Personal Data of individuals included in audience lists or ad viewers, as listed in Schedule A.
Any terms not defined herein shall have the meaning ascribed to them in the Main Agreement.
Relationship of the Parties.
The parties acknowledge and agree that with respect to Personal Data either: (i) Aleph is a Processor and you are a Controller; or (ii) Aleph is a Sub-processor of Personal Data and you are a Processor of Personal Data on behalf of a third-party Controller (for example, an advertiser on whose behalf you are using the Services of Aleph) - if any provision herein refers to You acting as a Controller, this should be interpreted as referring to You being a Processor. Any obligations that are Controller obligations under the Applicable Data Protection Law shall be deemed to refer to your End Advertisers instead. Under no circumstances shall be deemed that Aleph determines the purposes and means of the Processing of Customer Personal Data.
Your Responsibilities.
You are solely responsible for ensuring your collection and provision of Customer Personal Data to Aleph complies with all applicable Data Protection Laws. This includes, but is not limited to, providing any required notices to Data Subjects regarding the disclosure of their Personal Data to Aleph. You represent, warrant, and covenant that (i) You are solely responsible for: the accuracy, quality, and legality of Customer Personal Data and the means by which you acquired such data, (ii) You have obtained and will maintain all necessary legal bases, rights, and Consents to permit the Processor to Process the Personal Data you provide; (iii) Your provision of Customer Personal Data to Aleph is and will remain in full compliance with all Applicable Data Protection Laws; (iv) You have implemented a process to facilitate the exercise of Data Subject rights under Applicable Data Protection Laws, including but not limited to rights of access, rectification, deletion, and objection, and (v) You shall not engage in any conduct that renders or is likely to render the Platform’s owner or its Affiliates to be in breach of any Applicable Data Protection Laws. Further, You shall not knowingly collect, use or disclose (or enable collection, use or disclosure of) Sensitive Personal Data, or Personal Data of children under the age of sixteen (16) in connection with the Platform(s) for which You receive Services for, and to the extent applicable.
Aleph Responsibilities.
Cooperation. Aleph shall provide You with reasonable cooperation and assistance as necessary to enable You to fulfill Your obligations under the Applicable Data Protection Law. This includes support related to data security, data breach notifications, data protection impact assessments, responding to data subject requests, and addressing any inquiries or investigations from Supervisory Authorities, to the extent required under the Applicable Data Protection Law. If Aleph receives any requests or complaints from Data Subjects or inquiries from Supervisory Authorities relating to Customer Personal Data, Aleph will promptly notify You, and in any event within seven (7) business days, of these requests.
Personal Data Breach. Aleph will, without undue delay, notify You in writing of a Personal Data Breach affecting Customer Personal Data. The notification shall include details of the Personal Data Breach, its likely consequences, and the measures taken or proposed to be taken by Aleph to address the Personal Data Breach and mitigate its effects. Upon Your request, Aleph shall provide any additional information necessary to enable You to fulfill Your obligations under Applicable Data Protection Law, including notifying the competent Supervisory Authorities. Aleph reserves the right to redact information that is confidential or protected by law.
Sub-processors. You grant us general authorization to engage Sub-processors, subject to the following conditions: (a) all Sub-processors must adhere to data protection standards no less stringent than those outlined in this Addendum and comply with all applicable data protection laws; (b) Aleph shall maintain an up-to-date list of Sub-processors, which is attached as Schedule B to the Addendum, and shall promptly notify the You of any changes to this list; (c) You may object to the appointment of a new Sub-processor within ten (10) calendar days on reasonable grounds, in which case Aleph shall either (i) instruct the Subprocessor to cease any further processing of Personal Data, in which event this Addendum shall continue unaffected; or (ii) allow You to terminate the Addendum immediately; (d) Aleph remains fully liable for any acts or omissions of its Sub-processors in relation to the Processing of Personal Data; and (e) each Sub-processor shall be bound by a written contract that includes provisions equivalent to the data protection obligations set forth in this Addendum.
Confidentiality and Non-Disclosure. Aleph shall implement reasonable measures to ensure that any personnel engaged in the Processing of Personal Data: (i) are granted access to Personal Data only to the extent necessary for the performance of their assigned duties; (ii) have received appropriate training on the handling of Personal Data; and (iii) are bound by contractual obligations to maintain the privacy, security, and confidentiality of Personal Data. Aleph will not publish, disclose, or divulge (and will ensure that its personnel do not publish, disclose, or divulge) Personal Data to a third party unless You have given prior written consent.
Cross-border Transfers. Any cross-border transfer of Customer Personal Data shall be carried out in full compliance with the Applicable Data Protection Legislation. You acknowledge and agree that Aleph may transfer and Process Customer Personal Data on a global basis as necessary to provide the Services. Aleph shall at all times ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Law and this Addendum.
Audit. To the extent the Applicable Data Protection Law grants you audit rights, then You, or Your chosen non-competing third party, can audit Aleph’s compliance with this Addendum once a year, with at least thirty (30) calendar days' notice, during Aleph’s normal business hours as long as the audit does not disrupt normal business operations of Aleph. The Processor will help Controller with the audit. In no event is the Controller (or, for avoidance of doubt, any authorized third-party auditor) entitled to access or receive Aleph’s proprietary or confidential information, except to the extent strictly necessary to demonstrate compliance with this Addendum. Where relevant, Aleph’s current audit reports (e.g., SOC 2 Type II, ISO 27001) will satisfy audit requirements under this clause.
Records. Aleph shall maintain a record of processing activities, detailing the data of the Controller, Processor, and DPO (if applicable), categories of Personal Data, authorized personnel, Processing details (times, scope, modifications, purpose), cross-border transfers (if any), and technical/organizational security measures. This record shall be provided to the competent Supervisory Authority upon request.
Data Return or Deletion. Upon termination or expiry of the Main Agreement, Aleph will securely delete or destroy, or return as explicitly may be directed in writing by You, all Customer Personal Data related to this Addendum. If any law requires Aleph to retain Personal Data it would otherwise be obligated to delete or return, it will notify You in writing. Upon Your written request, Aleph will certify in writing that it has deleted or destroyed the Customer Personal Data.
Security. Aleph shall at all times implement appropriate technical and organizational measures against accidental or unlawful destruction, loss, unauthorized access or disclosure of, alteration, and reproduction, of the Customer Personal Data. Aleph shall implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: (i) the anonymisation/pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
Liability and Indemnification. Aleph’s total liability to You for any and all claims arising out of or in connection with this Addendum, whether in contract, tort, or otherwise, shall not exceed the total amount paid by You to Aleph under the Main Agreement during the six (6) months preceding the incident giving rise to the claim. In no event shall Aleph be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, loss of business, loss of data, or interruption of business, even if You have been advised of the possibility of such damages. You shall indemnify, defend, and hold harmless Aleph, its affiliates, directors, officers, employees, and agents from and against any and all claims, demands, actions, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) from third parties arising out of or in connection with: (i) Your breach of any of Your obligations under this Addendum or Applicable Data Protection Law and (ii) any act or omission of Yours or your personnel, agents, or subcontractors.
Conflicts. To the extent Aleph Processes Customer Personal Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed above (“Jurisdiction-Specific Legislation”), the applicable Jurisdiction-Specific Legislation will take precedence in the event of a conflict or ambiguity between the Jurisdiction-Specific Legislation and any terms of this Addendum, but only to the extent of the Jurisdiction-Specific Legislation’s applicability to Aleph. To the extent that Jurisdiction-Specific Legislation imposes obligations to the Provider that are less onerous than the obligations set forth in this Addendum, both Parties agree that Aleph’s obligations under the Jurisdiction-Specific Legislation shall prevail and be deemed applicable instead. If there is a conflict or inconsistency between this Addendum and the Main Agreement, this Addendum shall take precedence.
Term and Termination: The term of this Addendum will follow the term of the Main Agreement. This Addendum will terminate automatically upon termination of the Main Agreement.
Schedule A | Details of Data Processing
Description of Processing | Role of Each Party | Categories of Personal Data | Sensitive Personal Data |
If you advertise on X |
You share Customer Personal Data with Aleph: when You create a new audience by uploading a list on X directly by yourself and grant access rights to the same audience list to Aleph; and/or when You want to create a new audience and send the new audience list to Aleph for direct upload. You can grant access rights to the same audience list to Aleph.
| The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller. | For processing activity under a: emails, phone numbers, mobile advertising IDs, X IDs, and X usernames only as hashed data.
For processing activity under b: emails, phone numbers, mobile advertising IDs, X IDs, and X usernames.
Hashed Customer Personal Data. If Aleph receives Customer Personal Data in hashed or otherwise obfuscated format, Aleph will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Personal Data unless You instruct Aleph to do so; and (ii) only share the Customer Personal Data in the format Aleph received it from You. | None |
If you advertise on TikTok |
You share Customer Personal Data to Aleph when running Lead Generation campaigns. This Processing activity occurs only when: You create a Lead Generation form on Tiktok (“instant form”); and when the information from Lead Generation campaigns needs to be downloaded and sent to You - You cannot access this information directly due access rights limitations.
| The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller. | Any Personal Data the Customer shares with Aleph via an instant form. This usually includes the full name, telephone number and/or email, but depends on the content of the instant form and can vary. | None |
If you advertise on Snapchat |
You share Customer Personal Data with Aleph when: You run in-app Lead Campaigns and grant Aleph access to Your Ads Manager; and/or
You run Lead Campaigns and want Aleph to launch Your campaign using the Aleph’s Ads Manager.
| The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller. | For a. and b. :
any Personal Data the Customer shares with Aleph via a Lead Form. This always includes the full name, telephone number and/or email, but can vary depending on the information included in the Lead Form. Please see here the detailed Forms Fields Summary for more information on optional fields and custom questions. | None |
If you advertise on Amazon |
You share Customer Personal Data with Aleph when:
You create a hashed data file (“File”) and share it with us to upload on the Platform. | The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller. | Customer’s End User Personal Data. The File contains fields for: email, phone, first name, last name, street address, city, state/province, postal code, with minimum one (1) required field to be filled out by the Customer. All personal data in the File are hashed.
Hashed Personal Data. If Aleph receives Customer Personal Data in hashed or otherwise obfuscated format, Aleph will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Personal Data unless You instruct Aleph to do so; and (ii) only share the Customer Personal Data in the format Aleph received it from You. | None |
If you advertise on Meta |
You share Customer Personal Data with Aleph:
when conducting Lead Generation campaigns. This Processing activity occurs only when:
advertiser creates a Lead Generation form on the Platform (“instant form”); You share your Platform page with us; and Aleph assigns an admin role to itself for Your Platform page.
| The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller. | Any Personal Data You disclose to Aleph according to the information provided via an instant form. This usually includes full name, telephone number and email of individuals in audience lists, but depends on the content of the instant form and can vary. | None |
Nature of Processing: Aleph will Process Customer Personal Data for the purpose of providing the Services under the Main Agreement in accordance with its terms, and may be subject to the following Processing activities: |
Duration of Processing: Term of the Agreement |
Schedule B - Sub-processors
Company | Location | Purpose |
Revolgy | Czech Republic | Google Workspace services |
Microsoft | USA | ERP (Dynamics 365) |
AWS | Singapore | Cloud servers and services, CDN, Backup |
NextLink | Switzerland | Basic IT Support |
Kontron | Slovenia | Servers maintenance |
Cyberproof | Spain | SOC security service |
Aleph Group Subsidiaries and Affiliates | see list (upon request) | Performance of contract |
Schedule C | Aleph Security Measures
Regular testing, assessing and evaluation:
All the measures and policies should be reviewed, evaluated and adopted on a yearly basis.
Granting and revoking authorizations or accesses:
The purpose of a policy of granting and revoking authorizations or accesses is to reduce the chances of unauthorized logical access to the Information System (IS), data and information.
Authorization shall be: (a) triggered by an individual or it’s defined in the work scope of the employee, (b) approved by an authorized person or company director, (c) access is then granted by the system administrator, (d) the employee must sign a statement of responsibility as it is defined for all secure premises or IS.
Withdrawal of authorization shall be: (a) initiated by an authorized person or upon termination of a contract of employment or business cooperation, (b) the access is taken away by the system administrator, and (c) resignation statements must be signed.
Mandatory steps for new employees: devices owned by the company need to be enrolled in a central MDM solution. Software that is mandatory for company-owned devices: (a) MDM - Mobile device management, (b) EDR - Endpoint Detection and Response, (c) SIEM - central collection of log files, (d) Vulnerability management.
Physical access policy:
The offices are protected by access control and a mechanical lock. All access to certain predefined premises shall be recorded in the central system of the organization which only authorized persons have access to. The entire facility including the office is protected by an alarm system activated by the last authorized person upon departure from the office and switched off by the first authorized person upon arrival at the office. Allocation of alarm codes is done by the director or therefore by an authorized person. Upon receipt of the alarm, the person signs the reverse and commits to protecting access and information. Archive room, server room and Co-location of server infrastructure are specially protected. Only persons authorized by the company director have access. The authorized person must sign the Statement of Awareness of the Privacy Policy and must comply with the Privacy and Confidentiality Policy. Entry by unauthorized persons is prohibited and disabled.
Access to Source Data: Only authorized persons have access to the source data.
Saving Data Copies: The copies are stored in specially protected premises.
Company data storage: Users must store company data to the company-approved storage Google Drive. It is not permitted to use removable storage or local storage devices.
Destruction/Deletion of Data:
Destruction of Data Copies: To delete data from computer media; such a method of erasure shall be used to make it impossible to restore all or part of the deleted data. Personal data contained on traditional media (documents, files, register, lists, ...) are erased by destruction of the media. The beams are physically destroyed (cut) at the premises of the organization. Digital media (hard drives, USB sticks) are physically destroyed after the end of their useful life. Carriers are permanently destroyed (drilled, cut, ...) by a technical and maintenance worker (system administrator). With care and diligence laid down in this policy for the destruction of personal data kept in databases or on individual media, the supporting documentation must also be deleted and destroyed. When the destruction of the storage media takes place outside the premises of the organization, the destruction must be attended by at least two persons who must make a record containing the following information: (a) what was destroyed, (b) when it was destroyed, and (c) signature of those present.
Control of Company Network Access:
Secured networks: Wireless access to the network is protected by WPA2 + AES and by registering the device into routers (MAC authentication). A random device that knows the password cannot connect to the IT network.
Guest access: Guest access is a separate IT network that is not connected to the central IT networks of the Organization. The network is protected by WPA2 + AES and device isolation.
The network is free for use by all company guests and employees (third parties) who can access the network only by entering a password. The password is changed once a year.
Remote access: Remote access is possible via VPN, where: (a) access is granted only to persons who have been granted such access by an authorized person and have signed the provisions of such access, (b) user authentication is possible with a password and a digital certificate, and (c) each access is logged on the servers and kept for at least 3 months.
IS Change Control Policy:
Installing the Software
To avoid system malfunctions and reduce security vulnerabilities: (a) compliance with all licensed terms of the software is expected, (b) only software approved by the system administration may be installed, (c) software that has been whitelisted in the MDM can be installed, and (d) employees do not have rights to install software.
Technical measurements and description of IS:
Development environment: (a) the production environment is not accessible from the development environment and (b) development is done using test and anonymized data (no individual can be identified).
Test environment: (a) staging is primarily intended for the manual testing of new IS functionality before upgrading the production environment, (b) access to production is not possible from the test environment, (c) data is test data and anonymized; the server infrastructure is duplicated, (d) this environment is also used to introduce new functionalities to our business partners, (e) only ISPs can be upgraded to the test environment (Technical Director, Team Leaders), (f) the entire development team has access to the environment.
Production environment: (a) access is restricted to technical directors, development team leaders and system administrators only and (b) IS upgrade in this environment can only be done after thorough automatic and manual IS testing in the development and test environment.
Audit trail policy:
The aim is to ensure traceability of data in cases of misuse. To the extent possible:(a) it must record historical changes to data that cannot be modified by an individual, and (b) all system accesses are recorded in fixed system logs. Responsibility for turning on and controlling systems or functionality for monitoring audit trails if of: (a) System Administrator for System / Infrastructure Access, (b) IT Director for IS Change, (c) Cybersecurity Director for investigating possible incidents, and (d) Chief People Officer for Employee Documentation.
Password management and security policy:
Employees must access a variety of IT resources, including computers and other hardware devices, data storage systems, and other accounts. Passwords are a key part of IT’s strategy to make sure only authorized people can access those resources and data. All employees who have access to any of those resources are responsible for choosing strong passwords or passphrases (where available) and protecting their log-in information from unauthorized people.
Malware protection policy
Device protection: All devices that have this feature and are a frequent target of attacks should have the latest antivirus protection installed, which should be updated regularly and automatically.
Protecting IT infrastructure
Firewall: On a secure network as well as on the server infrastructure an active firewall must be installed that operates on a whitelist principle and allows outbound traffic only through designated exit routes (ports). The restriction applies to both secure networked areas and the guest network.
Schedule D | Jurisdiction- Specific Terms
Argentina: Personal Data Protection Act, Act No. 25.326 of 2000, Decree No. 1558/2001 Regulating Law No. 25.326, amended by Decree No. 1160/10, and any other applicable data protection regulations, as amended from time to time.
Colombia: Statutory law No.1266 and No.1581 and any other applicable data protection regulations, as amended from time to time.
Costa-Rica: Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011, the Executive Decree No. 37554-JP of 30 October 2012 Regulating Law No. 8968, as amended by Decree No. 40008-JP, and any other applicable data protection regulations, as amended from time to time.
Ecuador: The Organic Law on the Protection of Personal Data 2021 and any other applicable data protection regulations, as amended from time to time.
Mexico: Federal Law on Protection of Personal Data Held by Private Parties, Regulations to the Federal Law on Protection of Personal Data Held by Private Parties, and any other applicable data protection regulations, as amended from time to time.
Panama: Law No. 81 of March 26, 2019, Executive Decree No. 285 of May 28th, 2021, and any other applicable data protection regulations, as amended from time to time.
Peru: Law No. 29.733 on the Protection of Personal Data 2011, Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733, and any other applicable data protection regulations, as amended from time to time.
The United States: all state laws relating to the protection and Processing of Personal Data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act (“US State Privacy Laws”).
