DATA PROCESSING ADDENDUM
Last updated 16 June, 2025
This Data Processing Addendum (“DPA”) forms a legally binding contract between You (“Customer” or “Controller”) and Aleph (“Provider”), applies to the extent Aleph processes Customer Personal Data on Your behalf, and is incorporated into the Advertising Services Agreement, Insertion Order or other contract that You and Aleph may have entered into (“Main Agreement”). For any questions related to this DPA, please see our FAQ document. If you require a signed version of this DPA, please contact us.
BACKGROUND AND RELATIONSHIP WITH THE MAIN AGREEMENT
The Customer and the Provider (the “Parties”, and each a “Party”) entered into the Main Agreement that may require the Provider to process Personal Data on behalf of the Customer.
This DPA is incorporated into and subject to the terms of the Main Agreement, and sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing Services. The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes. In the case of conflict or ambiguity between any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail.
This DPA shall become effective upon full execution of the Information Table by the Parties.
The Parties agree that this DPA will replace any existing data processing agreement the Parties may have previously entered into in connection with the provided Services.
Except for the changes made by this DPA, the Main Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Main Agreement, this DPA will prevail to the extent of that conflict. Any claims brought under or in connection with this DPA will be subject to the Main Agreement. In the event the Parties use an International Data Transfer Mechanism and there is a conflict between the obligations in that International Data Transfer Mechanism and this DPA, the International Data Transfer Mechanism will prevail.
To the extent that a Commercial Partner that the Customer receives Services for amends any of the terms and conditions applicable to the Provider that affect any of the conditions related to the Processing of Customer Personal Data or the data protection obligations and rights of any of the Parties, the Customer acknowledges and agrees that they shall execute an Addendum to this DPA to continue receiving the Services from the Provider.
AGREED TERMS
DEFINITIONS AND INTERPRETATION
The following definitions apply in this DPA. Terms not defined in this DPA will have the meaning set forth in the Main Agreement.
“Advertising Agreement” means any existing or future legally binding contractual relationship between Aleph and the Customer, including any exhibits and/or attachments applicable to the covered Services, the Aleph Terms and Conditions available at https://www.alephholding.com/terms-and-conditions, and Order Forms.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Aleph Group” means Aleph Group Inc. together with all its subsidiaries and affiliates.
“Applicable Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
“Authorised Person(s)” the persons or categories of persons that the Customer authorised to give the Provider written personal data processing instructions as defined in Annex A and from whom the Provider agrees solely to accept such instructions.
“Commercial Partner” means a corporation or other legal entity which has selected Aleph or another member of the Aleph Group. as their official commercial representative for advertising services in the applicable territory and whose services the Parties use in order to fulfil their obligations under the Advertising Agreement. For the avoidance of doubt, Commercial Partner shall only refer to the corporations or entities that are specifically covered under the Advertising Agreement(s), Service Agreement, Multichannel Agreement, Order Form, or similar agreement (“Main Agreement”) between the Parties. Annex A and clause 7.3 shall be deemed applicable only to the extent that the Commercial Partner is among Managed and/or Self-Service platforms of the Main Agreement. The processing details for the rest of the corporations or entities under Annex A and security measures in clause 7.3 shall apply only in the event of an amendment to the Main Agreement where Customer wishes to receive Services for a platform that is not a Commercial Partner in this DPA or in case Customer decides to enter into a new Main Agreement with the Provider or another member of the Aleph Group where Services rendered will concern a platform that does not constitute a Commercial Partner under this DPA.
“Communications” shall mean Provider´s success stories, product briefs sent out on an ad hoc basis, upcoming events invitations, only related to provision of the Services, sent to the Customer while providing contractually agreed Services.
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Sensitive Personal Data”, “Processing”, “Special Categories of Personal Data”, “Consent”, “Personal Data Breach” and “Supervisory Authority” shall have the meaning given in EU Data Protection Law.
“Customer Personal Data” shall mean the End User Personal Data that is listed under Annex A (ii) of this DPA.
“EEA” shall mean the European Economic Area.
“End User” shall mean a person who ultimately uses or intended to ultimately use the Customer’s products and/or services.
“EU” means the European Union.
“EU Data Protection Law” means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”), as amended; (ii) the EU Directive 2009/136/EC, as amended (the “E-Privacy Directive”); (iii) any national data protection laws made under, pursuant to, replacing or succeeding the GDPR and the E-Privacy Directive; and (iv) any legislation replacing or updating any of the foregoing.
“Purposes”: the Services to be provided by the Provider to the Customer as described in the Advertising Agreement and any other purpose specifically identified in Annex A.
“Subprocessor” shall mean a member of the Aleph Group or third-party entity engaged by Aleph or member of the Aleph Group as a Processor under this DPA.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914/EC of 4th of June 2021, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=SL for the transfer of Personal Data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and the Council.
RELATIONSHIP OF THE PARTIES
Customer is a direct advertiser: The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, the Provider is a Processor acting on behalf of the direct advertiser ("Controller"). The scope, classification and details of Customer Personal Data Processing are described in Annex A.
Customer is an Agency: The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, the Provider is a Sub-processor acting on behalf of the Agency (“Processor”). Agency’s clients (“Advertisers”) shall have sole and exclusive authority to determine the purposes and means of any Processing of Customer Personal Data in the context of the Agreement as the Controller. The Provider shall Process Customer Personal Data only on behalf of and for the benefit of the Controller in the context of its direct business relationship with Agency and to carry out its obligations pursuant to the Agreement and the Controller’s reasonable and lawful written instructions, as they may be issued by the Controller from time to time. The scope, classification and details of Customer Personal Data Processing are described in Annex A. Accordingly, if any provision herein refers to the Customer acting as a Controller, this should be interpreted by the Parties as referring to the Customer acting as a Processor. Any obligations of the Customer that are obligations of the Controller under the Applicable Data Protection Law shall be deemed to refer to the Agency’s Advertisers instead.
PERSONAL DATA TYPES AND PURPOSES
The Customer and the Provider agree and acknowledge that for the purpose of the EU Data Protection Law:
The Customer is the Controller and the Provider is the Processor.
The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the EU Data Protection Law, including, but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.
Annex A describes Personal Data Processing Purposes and all other relevant details of Processing Activities.
4. GENERAL TERMS
The Parties shall comply with their respective obligations under EU Data Protection Law.
Cooperation:
Data Subject Requests. (4.1) Facilitation of Responses. The Services provide the Customer with a number of controls that the Customer may use to retrieve, correct, delete, or restrict Customer Data, which the Customer may use to assist it in connection with its obligations under EU Data Protection Law, including its obligations relating to responding to requests from Data Subjects or applicable data protection authorities. To the extent that the Customer is unable to independently access the relevant Customer Data within the Services, Aleph will provide reasonable assistance to respond to any such requests from Data Subjects or competent data protection authorities relating to the Processing of Customer Data under this DPA. (4.2) Requests received by Aleph. Should Aleph receive any requests from Data Subjects to exercise their rights, Aleph will not respond to such Data Subject except to acknowledge their request and notify the individual of the need to submit the request directly to the Customer, and will promptly notify the Customer of the request, unless legally prohibited from providing such notification. Aleph will provide the Customer with commercially reasonable assistance, upon request, to help the Customer to respond to such requests.
5. OBLIGATIONS OF THE CUSTOMER
5.1 The Customer remains the sole Controller regarding the Personal Data and is responsible for the legality of the Processing under the EU Data Protection Law, including but not limited to, providing any required notices and obtaining any required consents from the Data Subjects and for the written instructions of an Authorised Person to the Provider. Verbal instructions of the Authorised Person shall be confirmed in writing.
5.2 The Customer warrants and represents that the Provider´s expected use of the Personal Data for the Purposes, and as specifically instructed by the Customer, will comply with the EU Data Protection Law.
5.3 The Customer warrants and represents that its Processing instructions comply with all Applicable Data Protection Laws and is solely responsible for ensuring the use of the correct legal basis when processing Customer Personal Data, including obtaining Consent from End Users, where applicable. The Customer further acknowledges that, taking into account the nature of the Processing, the Provider is not in a position to determine whether the Customer’s instructions infringe Applicable Data Protection Laws and shall not incur any liability in the event the Customer violates its obligation under clauses 5.1 and 5.2 of this DPA.
5.4 The Customer shall not knowingly collect, use or disclose (or enable collection, use or disclosure of) Personal Data, or data of children under the age of sixteen (16) in the EU/EEA in connection with the platforms of the Commercial Partner they receive Services for and to the extent applicable.
5.5 The Customer shall, and will contractually require any other third parties that collect data through ads, to post on their respective websites and adhere to privacy policies that comply with Applicable Data Protection Laws. The Customer shall not alter and shall prohibit other third parties from altering any ad tags to pass information to the Commercial Partner it receives Services for that it could use or recognize as Personal Data. The Customer shall not collect, use or disclose, or enable any third party to collect, use or disclose, in any manner any Personal Data in connection with the serving of ads on the publisher properties. In addition, the Customer shall not associate cookies or pixels used in connection with the Main Agreement with Personal Data. In connection with the use of the platform of the Commercial Partner that the Customer receives Services for, the Customer shall not engage in any conduct that renders or is likely to render the Commercial Partner or its Affiliates to be in breach of any Applicable Data Protection Laws.
5.6 The Customer shall not use a platform of the Commercial Partner they receive Services for to collect information about or reach audiences based on sensitive personal information as defined by Applicable Data Protection Laws, such as certain financial status or health and medical information, and will not provide such information to the Commercial Partner in connection with their use of the its platform.
5.7 The terms in clauses 5.5 and 5.6 of this DPA shall only apply to the extent applicable based on the environment and functionalities of the platforms that the Customer receives Services for.
6. PROVIDER´S OBLIGATIONS
6.1 The Provider will process Customer Personal Data only in accordance with documented instructions from the Customer. The Main Agreement (including this DPA) constitutes such documented initial instructions. The Provider will use reasonable efforts to follow any other Customer instructions, as long as they are required by Applicable Data Protection Law and are technically feasible. If any of the before-mentioned exceptions apply, or the Provider otherwise cannot comply with an instruction or is of the opinion that an instruction infringes Applicable Data Protection Law, the Provider will immediately notify the Customer (email permitted).
6.2 The Provider may process Customer Personal Data as necessary to detect security incidents or protect against fraudulent or illegal activity and to maintain the level of quality of the Services as agreed in the Advertising Agreement.
6.3 The Provider must comply promptly with any Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unlawful processing.
6.4 The Provider will maintain the confidentiality of the Personal Data and will not disclose the Customer Personal Data to third parties (except to Commercial Partner where applicable) unless the Customer or this DPA specifically authorises the disclosure, or as required by national law, court or regulator. If national law, court or regulator requires the Provider to process or disclose the Personal Data to a third party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the national law prohibits such notice.
6.5 The Provider will reasonably assist the Customer with meeting the Customer´s compliance obligations under the EU Data Protection Law, taking into account the nature of the Provider´s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the competent Supervisory Authority under the EU Data Protection Law.
6.6 The Provider shall notify the Customer, if informed, of any changes to the EU Data Protection Law that may in his opinion reasonably be interpreted as adversely affecting the Provider´s performance of the Advertising Agreement or this DPA.
6.7 The Provider will ensure that all of its employees, contractors, agents and interns:
Are informed of the confidential nature of the Customer Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
Have undertaken training on the EU Data Protection Law and how it relates to their handling of the Personal Data and how it applies to their particular duties.
7. SECURITY
7.1 The Provider must at all times implement appropriate technical and organisational measures against accidental or unlawful destruction, loss, unauthorised access or disclosure of, alteration, and reproduction, of the Customer Personal Data including, but not limited to, the security measures set out in Annex B.
7.2 The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
The anonymisation/pseudonymisation and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
A process for regularly testing, assessing and evaluating the effectiveness of the security measures.
7.3 The Customer is informed of the following Commercial Partner's privacy policy and security measures applicable to the services provided:
https://www.tiktok.com/legal/page/eea/privacy-policy/en
https://twitter.com/en/privacy
https://values.snap.com/privacy/privacy-policy
https://www.amazon.com/gp/help/customer/display.html/?ie=UTF8&nodeId=468496, https://advertising.amazon.com/terms, https://advertising.amazon.com/dsp/agreement/advertiserAudience/en.
8. PERSONAL DATA BREACH
8.1 The Provider will, without undue delay, notify the Customer in writing (email is sufficient) of a Personal Data Breach affecting Customer Personal Data. Upon request, the Provider will provide information to the Customer to fulfil any obligation mandated by the Applicable Data Protection Law and will investigate or notify applicable authorities (except that the Provider reserves the right to redact information that is confidential).
9. INTERNATIONAL TRANSFERS OF PERSONAL DATA
9.1 Where EU Data Protection Law applies, the Provider (and any Subprocessor) shall not transfer or permit any Personal Data shared by the Customer to be transferred to a territory outside of the EU/EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data. A list of countries recognized by the European Commission providing adequate protection can be found at this link.
9.2 Unless the Provider (or any Subprocessor) transfers Personal Data pursuant to a transfer mechanism specified in Section 9.1 above, the Provider shall execute and abide the Controller to Processor SCCs which shall apply to Processing of Personal Data in countries outside the EU and EEA that do not provide an adequate level of data protection. To the extent that the Parties transfer Personal Data in reliance on the Standard Clauses, the Parties agree that by executing this DPA they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of this DPA. The Parties agree that, with respect to the elements of the Standard Contractual Clauses that require Parties´ input, ANNEX A (ii) and (iv) contains the relevant information. Where and to the extent that the Controller to Processor Standard Clauses apply pursuant to this Section 9, if there is any conflict between this DPA and the Controller to Processor Standard Clauses, the standard clauses shall prevail.
9.3 If Provider’s (or any of its Subprocessors) Processing of Personal Data involves the transfer of Personal Data of Data Subjects in the United Kingdom to a jurisdiction not recognized as providing an adequate level of data protection, the SCCs shall apply subject to the terms of the UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A of the United Kingdom Data Protection Act 2018 (“UK Addendum”).
10. SUBPROCESSOR
10.1 The Provider is granted a general authorization to subcontract the processing of Customer Personal Data to Subprocessors, provided that:
The Customer is provided with an opportunity to object to the appointment of each Subprocessor within thirty (30) business days after the Provider notifies the Customer in writing;
The Provider enters into a written contract with the Subprocessor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures;
10.2 Sub-processors approved by conclusion of this DPA are listed in Annex A (iii).
10.3 The Provider will be liable for the acts or omissions of its Subprocessors to the same extent as the Provider would be liable if performing the services of the Subprocessor directly under this DPA.
11. TERM AND TERMINATION
11.1 This DPA will remain in full force and effect so long as:
(a) the Main Agreement remains in effect; or
(b) the Provider retains any of the Personal Data related to the Main Agreement in its possession or control in its capacity as the Customer´s Processor.
11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Main Agreement in order to protect the Personal Data will remain in full force and effect.
11.3 If a change in any EU Data Protection Law prevents either Party from fulfilling all or part of its Advertising Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the EU Data Protection Law within thirty (30) calendar days, either Party may terminate the Advertising Agreement with immediate effect on written notice to the other Party.
12. DATA RETURN AND DESTRUCTION
12.1 At the Customer's request, the Provider will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
12.2. Upon termination of the Main Agreement for any reason or expiry of its term, the Provider will securely delete or destroy, or if directed in writing by the Customer, return and not retain all or any of the Personal Data related to this DPA in its possession or control.
12.3. If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement.
12.4 The Provider will upon Customer's request certify in writing that it has deleted or destroyed the Personal Data after it completes the deletion or destruction.
13. RECORDS
13.1 The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, Subprocessors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 7.1 (Security) and will upon request share these Records with the Customer.
13.2 The Customer and the Provider must review the information listed in the Annexes to this DPA upon each Party's request to confirm its current accuracy and update it when required to reflect current practices.
14. AUDIT
14.1 The Provider will permit the Customer and its third-party representatives (non-competitive to the Provider) to audit, max. once a year (if not followed by a security incident), the Provider´s compliance with its Agreement obligations, during the Provider´s regular business hours, on at least thirty (30) days´ notice, during the Term of the Agreement. The Provider will give the Customer and its third-party representatives all reasonable assistance to conduct such audits.
14.2 The notice requirements in Clause 14.1 will not apply if the Customer reasonably believes that a Personal Data Breach has occurred or is occurring or the Provider is in material breach of any of its obligations under this DPA.
14.3 Customer agrees that, to the extent applicable, Provider’s then-current audit reports (such as SOC 2 Type II, or comparable industry-standard reports) and/or Provider’s ISO 27001 certification will be used to satisfy any audit or inspection requests by or on behalf of Customer, and Provider shall make such reports available to the Customer.
15. LIABILITY
15.1 The Provider shall not incur any liability for any claim brought by a Data Subject arising from any action by the Provider to the extent that such action resulted directly from the Customer´s instructions.
15.2 The Provider’s overall aggregate liability, including any members of the Aleph Group, arising out of, or in connection with this DPA will be subject to the aggregate limitation of liability that has been agreed between the Parties under the Main Agreement.
15.3 In no event shall the Provider’s aggregate liability exceed the total value of all advertising purchased under the Main Agreement by the Customer within twelve (12) months preceding the incident giving rise to liability. In the event of any conflict between the provisions of this DPA and the Main Agreement, the provisions of the DPA shall prevail.
16. NOTICE
16.1 Any notice or other communication given to a Party under or in connection with this DPA must be in writing and delivered to:
For the Customer: The Customer’s email contact address for notices as listed on the Information Table.
For the Provider: [email protected]
16.2 Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
16.3 The Parties agree to inform each other immediately about any changes to the provided contact details in 16.1.
17. SEVERANCE
17.1 Should any provision of this DPA be invalid or unenforceable, then the remainder of it shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein.
ANNEX A: PERSONAL DATA PROCESSING PURPOSES AND OTHER DETAILS
(i)
Nature and Purpose of Processing. The Provider will process Customer Personal Data when providing Services under the Main Agreement to be able to render the Services.
Duration of Processing. For so long as:
(a) the Main Agreement remains in effect; or
(b) the Provider retains any of the Customer Personal Data related to the Main Agreement in its possession or control.
(ii) Description of Processing Activities
Meta Services [applicable based on the concluded Main Agreement]:
Processing Activity. The Customer discloses Personal Data to the Provider when conducting Lead Generation campaigns. This processing activity occurs only when:
advertiser creates a Lead Generation form on Facebook (“instant form”);
the Customer shares their Facebook page with the Provider; and
the Provider’s team assigns an admin role to themselves for the Customer’s Facebook page.
Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.
Categories of Personal Data. Any Personal Data the Customer discloses to Aleph according to the information provided via an instant form. This usually includes the full name, telephone number and email of the End User, but depends on the content of the instant form and can vary.
Categories of Sensitive Personal Data. None.
Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.
TikTok Services [applicable based on the concluded Main Agreement]:
Processing Activity. The Customer discloses Personal Data to the Provider when conducting Lead Generation campaigns. This processing activity occurs only when:
advertiser creates a Lead Generation form on Tiktok (“instant form”);
When the information from Lead Generation campaigns needs to be downloaded and forwarded to the Customer since they do not have that option to do themselves due to not having full admin rights to Aleph’s BC.
Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.
Categories of Personal Data. Any Personal Data the Customer discloses to Aleph according to the information provided via an instant form. This usually includes the full name, telephone number and email of the End User, but depends on the content of the instant form and can vary.
Categories of Sensitive Personal Data. None.
Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.
X Services [applicable based on the concluded Main Agreement]:
Processing Activity. The Customer discloses Customer Personal Data to the Provider:
when the Customer creates a new audience by uploading its list to X directly itself and grants access rights to the same audience list to Aleph; and/or
when the Customer wants to create a new audience and sends the new audience to Aleph for direct upload. The Customer can grant access rights to the same audience list to the Service Provider or not.
Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.
Categories of Personal Data. For processing activity under a: emails, phone numbers, mobile advertising IDs, XIDs, and Xusernames only as hashed data.
For processing activity under b: emails, phone numbers, mobile advertising IDs, XIDs, and X usernames.
Hashed Customer Personal Data. If Aleph receives Customer Personal Data in hashed or otherwise obfuscated format, Aleph will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Personal Data unless the Controller instructs Aleph to do so; and (ii) only share the Customer Personal Data in the format Aleph received it from the Controller.
Categories of Sensitive Personal Data. None.
Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.
Snapchat Services [applicable based on the concluded Main Agreement]:
Processing Activity.
The Customer discloses Personal Data to the Provider when conducting in-app Lead Campaigns. This processing activity occurs only when Customer grants access to the Provider to their Ads Manager.
The Customer discloses Personal Data to the Provider when conducting Lead Campaigns. This processing activity only occurs when the Customer wishes the Provider to launch the campaign using the Provider’s Ads Manager.
Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.
Categories of Personal Data. For processing activities under a. and b. - any Personal Data the Customer discloses to Aleph via a Lead Form. This always includes the full name, telephone number and/or email of the End User, but can vary depending on the information provided by the Customer via the Lead Form. Please see here the detailed Forms Fields Summary for more information on optional fields and custom questions.
Categories of Sensitive Personal Data. None.
Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.
Amazon Services [applicable based on the concluded Main Agreement]:
Processing Activity. The Customer discloses Personal Data to the Provider when Customer creates a hashed data file (“File”) and shares it with the Provider to upload on the Platform.
Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.
Categories of Personal Data. Customer’s End User Personal Data. The File contains fields for:
email,
phone,
first name,
last name,
street address,
city,
state/province,
postal code
with minimum one (1) required field to be filled out by the Customer. All personal data in the File are hashed.
Hashed Customer Personal Data. If Aleph receives Customer Personal Data in hashed or otherwise obfuscated format, Aleph will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Personal Data unless the Controller instructs Aleph to do so; and (ii) only share the Customer Personal Data in the format Aleph received it from the Controller.
Categories of Sensitive Personal Data. None.
Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.
Reddit Services [applicable based on the concluded Main Agreement]:
Processing Activity. The Customer discloses Customer Personal Data to the Provider when the Customer wants to create a new audience on Reddit, and sends the new audience list to Aleph for direct upload.
*two presets are available when uploading the new audience:
pre-hashed emails and unhashed mobile advertising IDs (“MAIDS”), and
unhashed emails and MAIDs.
Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.
Categories of Personal Data. Emails and MAIDS of End Users.
Hashed Customer Personal Data. If Aleph receives Customer Personal Data in hashed or otherwise obfuscated format, Aleph will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Personal Data unless the Controller instructs Aleph to do so; and (ii) only share the Customer Personal Data in the format Aleph received it from the Controller.
Categories of Sensitive Personal Data. None.
Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.
(iii) Provider´s Sub-processors:
Company: Google
Location:
Dublin, Ireland
Eemshaven, Netherlands
Fredericia, Denmark
Hamina, Finland
Middenmeer, Netherlands
St. Ghislain, Belgium
Purpose: Google Workspace services
Company: Hetzner (for Customers established in Europe)
Location: Germany
Purpose: Backup
Company: AWS (for Customers established outside Europe)
Location: Singapore
Purpose: Cloud servers and services, CDN, Backup
Company: Amazon
*only applies to Customers receiving Amazon Services
Location: Seattle, USA
Purpose: Campaign Optimization
Company: NextLink
Location: Switzerland
Purpose: Basic IT Support
Company: Kontron
Location: Slovenia
Purpose: Servers maintenance
Company: Aleph Group Subsidiaries and Affiliates
*only applies when the Customer's account is not handled exclusively by a team located in the EEA.
Location: see list (upon request)
Purpose: Performance of contract
Company: Cyberproof
Location: Spain
Purpose: SOC security service
(iv) Mutually accepted provisions to the applicable Standard Contractual Clauses (only applicable to the extent that the Parties transfer Customer Personal Data in reliance on the Standard Clauses):
Clause 7: The parties do not permit docking.
Clause 9, Module 2(a): The parties select Option 2. The time period is 5 days.
Clause 9, Module 3(a): The parties select Option 2. The time period is 5 days.
Clause 11(a): The parties do not select the independent dispute resolution option.
Clause 17: The parties agree that the governing jurisdiction is the Member State in which the data exporter is established.
Clause 18: For Modules 1-3, the parties agree that the forum is the Member State in which the data exporter is established.
Annex I(A): The data exporter is the Customer. The data importer is Aleph. Contact details for the parties are part of the Agreement.
Annex I(B): The parties agree that ANNEX A describes the transfer.
Annex I(C): The competent supervisory authority is the supervisory authority that has primary jurisdiction over the data exporter.
Annex II: The parties agree that ANNEX B describes the technical and organisational measures applicable to the transfer.
Annex III: The parties agree that ANNEX A states the authorised Subprocessors.
ANNEX B: ALEPH'S TECHNICAL AND ORGANISATIONAL MEASURES FOR DATA PROTECTION
Regular testing, assessing and evaluation
All the measures and policies should be reviewed, evaluated and adopted on a yearly basis.
Granting and revoking authorizations or accesses
The purpose of a policy of granting and revoking authorizations or accesses is to reduce the chances of unauthorised logical access to the information system (IS), data and information.
Authorization shall be:
triggered by an individual or it’s defined in the work scope of the employee;
approved by an authorised person or company director;
access is then granted by the System Administrator;
the employee must sign a statement of responsibility as it is defined for all secure premises or IS.
Withdrawal of authorization shall be:
initiated by an authorised person or upon termination of a contract of employment or business cooperation;
the accesses are taken away by the System Administrator;
resignation statements must be signed.
The mandatory steps for new employees
Software that is mandatory for company-owned devices
MDM - Mobile device management
EDR - Endpoint Detection and Response
SIEM - central collection of log files
Vulnerability management
Physical access policy
The offices are protected by access control and a mechanical lock.
All access to certain predefined premises shall be recorded in the central system of the Organization which only authorised persons have access to.
The entire facility including the office is protected by an alarm system activated by the last authorised person upon departure from the office and switched off by the first authorised person upon arrival at the office. |
Allocation of alarm codes is done by the director or therefore by an authorised person. Upon receipt of the alarm, the person signs the reverse and commits to protecting access and information. |
Archive room, server room and Co-location of server infrastructure are specially protected. Only persons authorised by the company director have access. The authorised person must sign the Statement of Awareness of the Privacy Policy and must comply with the Privacy and Confidentiality Policy. Entry by unauthorised persons is prohibited and disabled. |
Access to Source Data: Only authorised persons have access to the source data. |
Saving Data Copies: The copies are stored in specially protected premises.
Company data storage: Users must store company data to the company-approved storage Google Drive. It is not permitted to use removable storage or local storage devices.
Destruction/Deletion of Data |
Destruction of Data Copies: To delete data from computer media, such a method of erasure shall be used to make it impossible to restore all or part of the deleted data.
Personal data contained on traditional media (documents, files, register, lists, ...) are erased by destruction of the media. The beams are physically destroyed (cut) at the premises of the Organization.
Digital media (hard drives, USB sticks) are physically destroyed after the end of their useful life. Carriers are permanently destroyed (drilled, cut, ...) by a technical and maintenance worker (system administrator).
With care and diligence laid down in this policy for the destruction of personal data kept in databases or on individual media, the supporting documentation must also be deleted and destroyed.
When the destruction of the storage media takes place outside the premises of the Organization, the destruction must be attended by at least two persons who must make a record containing the following information: Control of Company Network Access
Secured networks: Wireless access to the network is protected by WPA2 + AES and by registering the device into routers (MAC authentication). A random device that knows the password cannot connect to the IT network.
Guest access: Guest access is a separate IT network that is not connected to the central IT networks of the Organization. The network is protected by WPA2 + AES and device isolation. The network is free for use by all company guests and employees (third parties) who can access the network only by entering a password. The password is changed once a year. Remote access: Remote access is possible via VPN, where: access is granted only to persons who have been granted such access by an authorised person and have signed the provisions of such access; user authentication is possible with a password and a digital certificate; each access is logged on the servers and kept for at least 3 months.
IS Change Control Policy Installing the Software: To avoid system malfunctions and reduce security vulnerabilities: compliance with all licensed terms of the software is expected. only software approved by the system administration may be installed. Software that has been whitelisted in the MDM can be installed. Employees do not have rights to install software.
Technical measurements and description of IS Development environment: Test environment: Staging is primarily intended for the manual testing of new IS functionality before upgrading the production environment. Access to production is not possible from the test environment. Data is test data and anonymized; the server infrastructure is duplicated. This environment is also used to introduce new functionalities to our business partners. Only ISPs can be upgraded to the test environment (Technical Director, Team Leaders). The entire development team has access to the environment.
Production environment: Access is restricted to technical directors, development team leaders and system administrators only. IS upgrade in this environment can only be done after thorough automatic and manual IS testing in the development and test environment.
Audit trail policy The aim is to ensure traceability of data in cases of misuse. To the extent possible: Responsibility for turning on and controlling systems or functionality for monitoring audit trails is: System Administrator for System / Infrastructure Access. ITDirector for IS Change. Cybersecurity Director for investigating possible incidents. Chief PeopleOfficer for Employee Documentation.
Password management and security policy Employees must access a variety of IT resources, including computers and other hardware devices, data storage systems, and other accounts. Passwords are a key part of IT’s strategy to make sure only authorised people can access those resources and data. All employees who have access to any of those resources are responsible for choosing strong passwords or passphrases (where available) and protecting their log-in information from unauthorised people.
Malware protection policy Device protection: All devices that have this feature and are a frequent target of attacks should have the latest antivirus protection installed, which should be updated regularly and automatically.
Protecting IT infrastructure Firewall On a secure network as well as on the server infrastructure an active firewall must be installed that operates on a whitelist principle and allows outbound traffic only through designated exit routes (ports). The restriction applies to both secure networked areas and the guest network. |