Register

Please register below to gain access to exclusive insights, case studies, reports and more.

Country*
Afghanistan
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Australia
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belgium
Belize
Benin
Bermuda
Bhutan
Bolivia
Bosnia and Herzegovina
Botswana
Bouvet Island
Brazil
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cabo Verde
Cambodia
Cameroon
Canada
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos Islands
Colombia
Comoros
Congo Democratic Republic
Congo
Cook Islands
Costa Rica
Croatia
Cuba
Curaçao
Cyprus
Czechia
Côte d'Ivoire
Denmark
Djibouti
Dominica
Dominican Republic
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Vatican
Honduras
Hong Kong
Hungary
Iceland
India
Indonesia
Iran
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Japan
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
North Korea
Korea
Kuwait
Kyrgyzstan
Lao
Latvia
Lebanon
Lesotho
Liberia
Libya
Liechtenstein
Lithuania
Luxembourg
Macao
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia
Moldova
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Norway
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippine
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
North Macedonia
Romania
Russia
Rwanda
Réunion
Saint Lucia
Saint Martin
Saint Pierre and Miquelon
Saint Vincent and the Grenadines
Samoa
San Marino
Sao Tome and Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Singapore
Sint Maarten
Slovakia
Slovenia
Solomon Islands
Somalia
South Africa
South Sudan
Spain
Sri Lanka
Sudan
Suriname
Svalbard and Jan Mayen
Sweden
Switzerland
Syrian Arab Republic
Taiwan
Tajikistan
Tanzania
Thailand
Timor-Leste
Togo
Tokelau
Tonga
Trinidad and Tobago
Tunisia
Turkey
Turkmenistan
Turks and Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United Kingdom
United States Minor Outlying Islands
United States of America
Uruguay
Uzbekistan
Vanuatu
Venezuela
Vietnam
British Virgin Islands
Virgin Islands US
Wallis and Futuna
Western Sahara
Yemen
Zambia
Zimbabwe
Aland Islands

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM 

Last updated 16 June, 2025

This Data Processing Addendum (“DPA”) forms a legally binding contract between You (“Customer” or “Controller”) and Aleph (“Provider”), applies to the extent Aleph processes Customer Personal Data on Your behalf, and is incorporated into the Advertising Services Agreement, Insertion Order or other contract that You and Aleph may have entered into (“Main Agreement”). For any questions related to this DPA, please see our FAQ document. If you require a signed version of this DPA, please contact us.

BACKGROUND AND RELATIONSHIP WITH THE MAIN AGREEMENT

  1. The Customer and the Provider (the “Parties”, and each a “Party”) entered into the Main Agreement that may require the Provider to process Personal Data on behalf of the Customer.

  2. This DPA is incorporated into and subject to the terms of the Main Agreement, and sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing Services. The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes. In the case of conflict or ambiguity between any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail.

  3. This DPA shall become effective upon full execution of the Information Table by the Parties. 

  4. The Parties agree that this DPA will replace any existing data processing agreement the Parties may have previously entered into in connection with the provided Services.

  5. Except for the changes made by this DPA, the Main Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Main Agreement, this DPA will prevail to the extent of that conflict. Any claims brought under or in connection with this DPA will be subject to the Main Agreement. In the event the Parties use an International Data Transfer Mechanism and there is a conflict between the obligations in that International Data Transfer Mechanism and this DPA, the International Data Transfer Mechanism will prevail.

  6. To the extent that a Commercial Partner that the Customer receives Services for amends any of the terms and conditions applicable to the Provider that affect any of the conditions related to the Processing of Customer Personal Data or the data protection obligations and rights of any of the Parties, the Customer acknowledges and agrees that they shall execute an Addendum to this DPA to continue receiving the Services from the Provider.

AGREED TERMS

  1. DEFINITIONS AND INTERPRETATION

The following definitions apply in this DPA. Terms not defined in this DPA will have the meaning set forth in the Main Agreement.

“Advertising Agreement” means any existing or future legally binding contractual relationship between Aleph and the Customer, including any exhibits and/or attachments applicable to the covered Services, the Aleph Terms and Conditions available at https://www.alephholding.com/terms-and-conditions, and Order Forms. 

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Aleph Group” means Aleph Group Inc. together with all its subsidiaries and affiliates.

“Applicable Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.

“Authorised Person(s)” the persons or categories of persons that the Customer authorised to give the Provider written personal data processing instructions as defined in Annex A and from whom the Provider agrees solely to accept such instructions.

Commercial Partner” means a corporation or other legal entity which has selected Aleph or another member of the Aleph Group. as their official commercial representative for advertising services in the applicable territory and whose services the Parties use in order to fulfil their obligations under the Advertising Agreement. For the avoidance of doubt, Commercial Partner shall only refer to the corporations or entities that are specifically covered under the Advertising Agreement(s), Service Agreement, Multichannel Agreement, Order Form, or similar agreement (“Main Agreement”) between the Parties.  Annex A and clause 7.3 shall be deemed applicable only to the extent that the Commercial Partner is among Managed and/or Self-Service platforms of the Main Agreement. The processing details for the rest of the corporations or entities under Annex A and security measures in clause 7.3 shall apply only in the event of an amendment to the Main Agreement where Customer wishes to receive Services for a platform that is not a Commercial Partner in this DPA or in case Customer decides to enter into a new Main Agreement with the Provider or another member of the Aleph Group where Services rendered will concern a platform that does not constitute a Commercial Partner under this DPA. 

Communications” shall mean Provider´s success stories, product briefs sent out on an ad hoc basis, upcoming events invitations, only related to provision of the Services, sent to the Customer while providing contractually agreed Services.

Controller”, “Processor”, “Data Subject”, “Personal Data”, “Sensitive Personal Data”, “Processing”, “Special Categories of Personal Data”, “Consent”, “Personal Data Breach” and “Supervisory Authority” shall have the meaning given in EU Data Protection Law.

Customer Personal Data” shall mean the End User Personal Data that is listed under Annex A (ii) of this DPA.

EEA” shall mean the European Economic Area.

End User” shall mean a person who ultimately uses or intended to ultimately use the Customer’s products and/or services. 

EU” means the European Union.

EU Data Protection Law” means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”), as amended; (ii) the EU Directive 2009/136/EC, as amended (the “E-Privacy Directive”); (iii) any national data protection laws made under, pursuant to, replacing or succeeding the GDPR and the E-Privacy Directive; and (iv) any legislation replacing or updating any of the foregoing.

“Purposes”: the Services to be provided by the Provider to the Customer as described in the Advertising Agreement and any other purpose specifically identified in Annex A.

“Subprocessor” shall mean a member of the Aleph Group or third-party entity engaged by Aleph or member of the Aleph Group as a Processor under this DPA. 

Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914/EC of 4th of June 2021, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=SL for the transfer of Personal Data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and the Council.

  1. RELATIONSHIP OF THE PARTIES

  1. Customer is a direct advertiser:  The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, the Provider is a Processor acting on behalf of the direct advertiser ("Controller"). The scope, classification and details of Customer Personal Data Processing are described in Annex A.

  2. Customer is an Agency: The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, the Provider is a Sub-processor acting on behalf of the Agency (“Processor”). Agency’s clients (“Advertisers”) shall have sole and exclusive authority to determine the purposes and means of any Processing of Customer Personal Data in the context of the Agreement as the Controller. The Provider shall Process Customer Personal Data only on behalf of and for the benefit of the Controller in the context of its direct business relationship with Agency and to carry out its obligations pursuant to the Agreement and the Controller’s reasonable and lawful written instructions, as they may be issued by the Controller from time to time. The scope, classification and details of Customer Personal Data Processing are described in Annex A. Accordingly, if any provision herein refers to the Customer acting as a Controller, this should be interpreted by the Parties as referring to the Customer acting as a Processor.  Any obligations of the Customer that are obligations of the Controller under the Applicable Data Protection Law shall be deemed to refer to the Agency’s Advertisers instead.


  1. PERSONAL DATA TYPES AND PURPOSES

The Customer and the Provider agree and acknowledge that for the purpose of the EU Data Protection Law:

  1. The Customer is the Controller and the Provider is the Processor. 

  2. The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the EU Data Protection Law, including, but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.

  3. Annex A describes Personal Data Processing Purposes and all other relevant details of Processing Activities.

    4. GENERAL TERMS

The Parties shall comply with their respective obligations under EU Data Protection Law. 

Cooperation:

Data Subject Requests. (4.1) Facilitation of Responses. The Services provide the Customer with a number of controls that the Customer may use to retrieve, correct, delete, or restrict Customer Data, which the Customer may use to assist it in connection with its obligations under EU Data Protection Law, including its obligations relating to responding to requests from Data Subjects or applicable data protection authorities. To the extent that the Customer is unable to independently access the relevant Customer Data within the Services, Aleph will provide reasonable assistance to respond to any such requests from Data Subjects or competent data protection authorities relating to the Processing of Customer Data under this DPA. (4.2) Requests received by Aleph. Should Aleph receive any requests from Data Subjects to exercise their rights, Aleph will not respond to such Data Subject except to acknowledge their request and notify the individual of the need to submit the request directly to the Customer, and will promptly notify the Customer of the request, unless legally prohibited from providing such notification. Aleph will provide the Customer with commercially reasonable assistance, upon request, to help the Customer to respond to such requests.

5. OBLIGATIONS OF THE CUSTOMER

5.1 The Customer remains the sole Controller regarding the Personal Data and is responsible for the legality of the Processing under the EU Data Protection Law, including but not limited to, providing any required notices and obtaining any required consents from the Data Subjects and for the written  instructions of an Authorised Person to the Provider. Verbal instructions of the Authorised Person shall  be confirmed in writing. 

5.2 The Customer warrants and represents that the Provider´s expected use of the Personal Data for the Purposes, and as specifically instructed by the Customer, will comply with the EU Data Protection Law.

5.3 The Customer warrants and represents that its Processing instructions comply with all Applicable Data Protection Laws and is solely responsible for ensuring the use of the correct legal basis when processing Customer Personal Data, including obtaining Consent from End Users, where applicable. The Customer further acknowledges that, taking into account the nature of the Processing, the Provider is not in a position to determine whether the Customer’s instructions infringe Applicable Data Protection Laws and shall not incur any liability in the event the Customer violates its obligation under clauses 5.1 and 5.2 of this DPA.

5.4 The Customer shall not knowingly collect, use or disclose (or enable collection, use or disclosure of) Personal Data, or data of children under the age of sixteen (16) in the EU/EEA in connection with the platforms of the Commercial Partner they receive Services for and to the extent applicable. 

5.5 The Customer shall, and will contractually require any other third parties that collect data through ads, to post on their respective websites and adhere to privacy policies that comply with Applicable Data Protection Laws. The Customer shall not alter and shall prohibit other third parties from altering any ad tags to pass information to the Commercial Partner it receives Services for that it could use or recognize as Personal Data. The Customer shall not collect, use or disclose, or enable any third party to collect, use or disclose, in any manner any Personal Data in connection with the serving of ads on the publisher properties. In addition, the Customer shall not associate cookies or pixels used in connection with the Main Agreement with Personal Data. In connection with the use of the platform of the Commercial Partner that the Customer receives Services for, the Customer shall not engage in any conduct that renders or is likely to render the Commercial Partner or its Affiliates to be in breach of any Applicable Data Protection Laws.

5.6 The Customer shall not use a platform of the Commercial Partner they receive Services for to collect information about or reach audiences based on sensitive personal information as defined by Applicable Data Protection Laws, such as certain financial status or health and medical information, and will not provide such information to the Commercial Partner in connection with their use of the its platform.

5.7 The terms in clauses 5.5 and 5.6 of this DPA shall only apply to the extent applicable based on the environment and functionalities of the platforms that the Customer receives Services for. 


6. PROVIDER´S OBLIGATIONS

6.1 The Provider will process Customer Personal Data only in accordance with documented instructions from the Customer. The Main Agreement (including this DPA) constitutes such documented initial instructions. The Provider will use reasonable efforts to follow any other Customer  instructions, as long as they are required by Applicable Data Protection Law and are technically feasible. If any of the before-mentioned exceptions apply, or the Provider otherwise cannot  comply with an instruction or is of the opinion that an instruction infringes Applicable Data Protection Law, the Provider will  immediately notify the Customer (email permitted). 

6.2 The Provider may process Customer Personal Data as necessary to detect security incidents or protect against fraudulent or illegal activity and to maintain the level of quality of the Services as agreed in the Advertising Agreement. 

6.3 The Provider must comply promptly with any Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unlawful processing.

6.4 The Provider will maintain the confidentiality of the Personal Data and will not disclose the Customer Personal Data to third parties (except to Commercial Partner where  applicable) unless the Customer or this DPA specifically authorises the disclosure, or as required by national law, court or regulator. If national law, court or regulator requires the Provider to process or disclose the Personal Data to a third party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the national law prohibits such notice.

6.5 The Provider will reasonably assist the Customer with meeting the Customer´s compliance obligations under the EU Data Protection Law, taking into account the nature of the Provider´s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the competent Supervisory Authority under the EU Data Protection Law.

6.6 The Provider shall notify the Customer, if informed, of any changes to the EU Data Protection Law that may in his opinion reasonably be interpreted as adversely affecting the Provider´s performance of the Advertising Agreement or this DPA.

6.7 The Provider will ensure that all of its employees, contractors, agents and interns:

  1. Are informed of the confidential nature of the Customer Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;

  2. Have undertaken training on the EU Data Protection Law and how it relates to their handling of the Personal Data and how it applies to their particular duties.

7.  SECURITY

7.1 The Provider must at all times implement appropriate technical and organisational measures against accidental or unlawful destruction, loss,  unauthorised access or disclosure of, alteration, and reproduction, of the Customer Personal Data including, but not limited to, the security measures set out in Annex B. 

7.2 The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

  1. The anonymisation/pseudonymisation and encryption of personal data;

  2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

  4. A process for regularly testing, assessing and evaluating the effectiveness of the security measures.

7.3 The Customer is informed of the following Commercial Partner's privacy policy and security measures applicable to the services provided:

https://www.tiktok.com/legal/page/eea/privacy-policy/en  

  • X Services: 

https://twitter.com/en/privacy 

  • Snapchat Services: 

https://values.snap.com/privacy/privacy-policy  

  • Amazon Services: 

https://www.amazon.com/gp/help/customer/display.html/?ie=UTF8&nodeId=468496, https://advertising.amazon.com/terms, https://advertising.amazon.com/dsp/agreement/advertiserAudience/en.


8. PERSONAL DATA BREACH

8.1 The Provider will, without undue delay, notify the Customer in writing (email is sufficient) of a Personal Data Breach affecting Customer Personal Data. Upon request, the Provider will provide information to the Customer to fulfil any obligation mandated by the Applicable Data Protection Law and will investigate or notify applicable authorities (except that the Provider reserves the right to redact information that is confidential). 


9. INTERNATIONAL TRANSFERS OF PERSONAL DATA 

9.1  Where EU Data Protection Law applies, the Provider (and any Subprocessor) shall not transfer or permit any Personal Data shared by the Customer to be transferred to a territory outside of the EU/EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data. A list of countries recognized by the European Commission providing adequate protection can be found at this link.

9.2 Unless the Provider (or any Subprocessor) transfers Personal Data pursuant to a transfer mechanism specified in Section 9.1 above, the Provider shall execute and abide the Controller to Processor SCCs  which shall apply to Processing of Personal Data in countries outside the EU and EEA that do not provide an adequate level of data protection. To the extent that the Parties transfer Personal Data in reliance on the Standard Clauses, the Parties agree that by executing this DPA they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of this DPA. The Parties agree that, with respect to the elements of the Standard Contractual Clauses that require Parties´ input, ANNEX A (ii) and (iv) contains the relevant information. Where and to the extent that the Controller to Processor Standard Clauses apply pursuant to this Section 9, if there is any conflict between this DPA and the Controller to Processor Standard Clauses, the standard clauses shall prevail.

9.3 If Provider’s (or any of its Subprocessors) Processing of Personal Data involves the transfer of Personal Data of Data Subjects in the United Kingdom to a jurisdiction not recognized as providing an adequate level of data protection, the SCCs shall apply subject to the terms of the UK Addendum to the EU Standard Contractual Clauses” issued by the Information Commissioner’s Office under s.119A of the United Kingdom Data Protection Act 2018 (“UK Addendum”). 

10. SUBPROCESSOR

10.1 The Provider is granted a general authorization to subcontract the processing of Customer Personal Data to Subprocessors,  provided that:

  1. The Customer is provided with an opportunity to object to the appointment of each Subprocessor within thirty (30) business days after the Provider notifies  the Customer in writing;

  2. The Provider enters into a written contract with the Subprocessor that contains terms substantially the same as those set out in this DPA, in particular, in relation to requiring appropriate technical and organisational data security measures;

10.2 Sub-processors approved by conclusion of this DPA are listed in Annex A (iii).

10.3 The Provider will be liable for the acts or omissions of its Subprocessors to the same extent as the Provider would be liable if performing the services of the Subprocessor directly under this DPA. 

11. TERM AND TERMINATION

11.1 This DPA will remain in full force and effect so long as:

(a) the Main Agreement remains in effect; or

(b) the Provider retains any of the Personal Data related to the Main Agreement in its possession or control in its capacity as the Customer´s Processor.

11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Main Agreement in order to protect the Personal Data will remain in full force and effect.

11.3 If a change in any EU Data Protection Law prevents either Party from fulfilling all or part of its Advertising Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the EU Data Protection Law within thirty (30) calendar days, either Party may terminate the Advertising Agreement with immediate effect on written notice to the other Party.

12. DATA RETURN AND DESTRUCTION

12.1 At the Customer's request, the Provider will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

12.2. Upon termination of the Main Agreement for any reason or expiry of its term, the Provider will securely delete or destroy, or if directed in writing by the Customer, return and not retain all or any of the Personal Data related to this DPA in its possession or control. 

12.3. If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement.

12.4 The Provider will upon Customer's request certify in writing that it has deleted or destroyed the Personal Data after it completes the deletion or destruction.

13. RECORDS

13.1 The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, Subprocessors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in Clause 7.1 (Security) and will upon request share these Records with the Customer.

13.2 The Customer and the Provider must review the information listed in the Annexes to this DPA upon each Party's request to confirm its current accuracy and update it when required to reflect current practices. 

14. AUDIT

14.1 The Provider will permit the Customer and its third-party representatives (non-competitive to the Provider) to audit, max. once a year (if not followed by a security incident), the Provider´s compliance with its Agreement obligations, during the Provider´s regular business hours, on at least thirty (30) days´ notice, during the Term of the Agreement. The Provider will give the Customer and its third-party representatives all reasonable  assistance to conduct such audits. 

14.2 The notice requirements in Clause 14.1 will not apply if the Customer reasonably believes that a Personal Data Breach has occurred or is occurring or the Provider is in material breach of any of its obligations under this DPA.   

14.3 Customer agrees that, to the extent applicable, Provider’s then-current audit reports (such as SOC 2 Type II, or comparable industry-standard reports) and/or Provider’s ISO 27001 certification will be used to satisfy any audit or inspection requests by or on behalf of Customer, and Provider shall make such reports available to the Customer. 

15. LIABILITY

15.1 The Provider shall not incur any liability for any claim brought by a Data Subject arising from any action by the Provider to the extent that such action resulted directly from the Customer´s instructions.

15.2 The Provider’s overall aggregate liability, including any members of the Aleph Group, arising out of, or in connection with this DPA will be subject to the aggregate limitation of liability that has been agreed between the Parties under the Main Agreement. 

15.3 In no event shall the Provider’s aggregate liability exceed the total value of all advertising purchased under the Main Agreement by the Customer within twelve (12) months preceding the incident giving rise to liability. In the event of any conflict between the provisions of this DPA and the Main Agreement, the provisions of the DPA shall prevail. 

16. NOTICE

16.1 Any notice or other communication given to a Party under or in connection with this DPA must be in writing and delivered to:

For the Customer: The Customer’s email contact address for notices as listed on the Information Table. 

For the Provider: [email protected] 

16.2 Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

16.3 The Parties agree to inform each other immediately about any changes to the provided contact details in 16.1.

17. SEVERANCE

17.1 Should any provision of this DPA be invalid or unenforceable, then the remainder of it shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained herein.


ANNEX A: PERSONAL DATA PROCESSING PURPOSES AND OTHER DETAILS

(i) 

Nature and Purpose of Processing. The Provider will process Customer Personal Data when providing Services under the Main Agreement to be able to render the Services.

Duration of Processing. For so long as:

(a) the Main Agreement remains in effect; or

(b) the Provider retains any of the Customer Personal Data related to the Main Agreement in its possession or control.

     

(ii) Description of Processing Activities

Meta Services [applicable based on the concluded Main Agreement]:

Processing Activity. The Customer discloses Personal Data to the Provider when conducting Lead Generation campaigns. This processing activity occurs only when: 


  1. advertiser creates a Lead Generation form on Facebook (“instant form”);

  2. the Customer shares their Facebook page with the Provider; and

  3. the Provider’s team assigns an admin role to themselves for the Customer’s Facebook page.


Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.


Categories of Personal Data. Any Personal Data the Customer discloses to Aleph according to the information provided via an instant form. This usually includes the full name, telephone number and email of the End User, but depends on the content of the instant form and can vary.


Categories of Sensitive Personal Data. None.


Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.


TikTok Services [applicable based on the concluded Main Agreement]:

Processing Activity. The Customer discloses Personal Data to the Provider when conducting Lead Generation campaigns. This processing activity occurs only when: 

  1. advertiser creates a Lead Generation form on Tiktok (“instant form”);

  2. When the information from Lead Generation campaigns needs to be downloaded and forwarded to the Customer since they do not have that option to do themselves due to not having full admin rights to Aleph’s BC.

Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.


Categories of Personal Data. Any Personal Data the Customer discloses to Aleph according to the information provided via an instant form. This usually includes the full name, telephone number and email of the End User, but depends on the content of the instant form and can vary.


Categories of Sensitive Personal Data. None.


Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.


X Services [applicable based on the concluded Main Agreement]:

Processing Activity. The Customer discloses Customer Personal Data to the Provider: 

  1. when the Customer creates a new audience by uploading its list to X directly itself and grants access rights to the same audience list to Aleph; and/or

  2. when the Customer wants to create a new audience and sends the new audience to Aleph for direct upload. The Customer can grant access rights to the same audience list to the Service Provider or not.

Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.


Categories of Personal Data. For processing activity under a: emails, phone numbers, mobile advertising IDs, XIDs, and Xusernames only as hashed data.


For processing activity under b: emails, phone numbers, mobile advertising IDs, XIDs, and X usernames. 


Hashed Customer Personal Data. If Aleph receives Customer Personal Data in hashed or otherwise obfuscated format, Aleph will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Personal Data unless the Controller instructs Aleph to do so; and (ii) only share the Customer Personal Data in the format Aleph received it from the Controller.


Categories of Sensitive Personal Data. None.


Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.


Snapchat Services [applicable based on the concluded Main Agreement]:

Processing Activity. 

  1. The Customer discloses Personal Data to the Provider when conducting in-app Lead Campaigns. This processing activity occurs only when Customer grants access to the Provider to their Ads Manager.

  2. The Customer discloses Personal Data to the Provider when conducting Lead Campaigns. This processing activity only occurs when the Customer wishes the Provider to launch the campaign using the Provider’s Ads Manager.


Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.


Categories of Personal Data. For processing activities under a. and b. - any Personal Data the Customer discloses to Aleph via a Lead Form. This always includes the full name, telephone number and/or email of the End User, but can vary depending on the information provided by the Customer via the Lead Form. Please see here the detailed Forms Fields Summary for more information on optional fields and custom questions. 


Categories of Sensitive Personal Data. None.


Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.


Amazon Services [applicable based on the concluded Main Agreement]:

Processing Activity. The Customer discloses Personal Data to the Provider when Customer creates a hashed data file (“File”) and shares it with the Provider to upload on the Platform.


Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.


Categories of Personal Data. Customer’s End User Personal Data. The File contains fields for:

  • email,

  • phone,

  • first name,

  • last name,

  • street address,

  • city,

  • state/province,

  • postal code


with minimum one (1) required field to be filled out by the Customer. All personal data in the File are hashed. 


Hashed Customer Personal Data. If Aleph receives Customer Personal Data in hashed or otherwise obfuscated format, Aleph will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Personal Data unless the Controller instructs Aleph to do so; and (ii) only share the Customer Personal Data in the format Aleph received it from the Controller.


Categories of Sensitive Personal Data. None.


Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.


Reddit Services [applicable based on the concluded Main Agreement]:

Processing Activity. The Customer discloses Customer Personal Data to the Provider when the Customer wants to create a new audience on Reddit, and sends the new audience list to Aleph for direct upload. 

*two presets are available when uploading the new audience: 

  1. pre-hashed emails and unhashed mobile advertising IDs (“MAIDS”), and 

  2. unhashed emails and MAIDs.


Role of Each Party. The Customer is a Controller. Aleph is a Processor unless the Customer is acting on behalf of a third-party Controller.


Categories of Personal Data. Emails and MAIDS of End Users.


Hashed Customer Personal Data. If Aleph receives Customer Personal Data in hashed or otherwise obfuscated format, Aleph will: (i) not attempt to reverse engineer or otherwise try to re-identify the hashed or obfuscated Personal Data unless the Controller instructs Aleph to do so; and (ii) only share the Customer Personal Data in the format Aleph received it from the Controller.


Categories of Sensitive Personal Data. None.


Applicable SCCs Module. Module 2, Module 3, if the Customer acts as a Processor to another Controller.


(iii) Provider´s Sub-processors:

Company: Google

Location: 

Dublin, Ireland

Eemshaven, Netherlands

Fredericia, Denmark

Hamina, Finland

Middenmeer, Netherlands

St. Ghislain, Belgium

Purpose: Google Workspace services


Company: Hetzner (for Customers established in Europe)

Location: Germany

Purpose: Backup


Company: AWS (for Customers established outside Europe)

Location: Singapore

Purpose: Cloud servers and services, CDN, Backup


Company: Amazon

*only applies to Customers receiving Amazon Services

Location: Seattle, USA

Purpose: Campaign Optimization


Company: NextLink

Location: Switzerland

Purpose: Basic IT Support


Company: Kontron

Location: Slovenia

Purpose: Servers maintenance


Company: Aleph Group  Subsidiaries and Affiliates

*only applies when the Customer's account is not handled exclusively by a team located in the EEA.

Location: see list (upon request)

Purpose: Performance of contract


Company: Cyberproof

Location: Spain

Purpose: SOC security service


(iv) Mutually accepted provisions to the applicable Standard Contractual Clauses (only applicable to the extent that the Parties transfer Customer Personal Data in reliance on the Standard Clauses):

Clause 7: The parties do not permit docking.

Clause 9, Module 2(a): The parties select Option 2. The time period is 5 days. 

Clause 9, Module 3(a): The parties select Option 2. The time period is 5 days.

Clause 11(a): The parties do not select the independent dispute resolution option.

Clause 17: The parties agree that the governing jurisdiction is the Member State in which the data exporter is established.

Clause 18: For Modules 1-3, the parties agree that the forum is the Member State in which the data exporter is established. 

Annex I(A): The data exporter is the Customer. The data importer is Aleph. Contact details for the parties are part of the Agreement.

Annex I(B): The parties agree that ANNEX A describes the transfer.

Annex I(C): The competent supervisory authority is the supervisory authority that has primary jurisdiction over the data exporter.

Annex II: The parties agree that ANNEX B describes the technical and organisational measures applicable to the transfer.

Annex III: The parties agree that ANNEX A states the authorised Subprocessors.


ANNEX B: ALEPH'S TECHNICAL AND ORGANISATIONAL MEASURES FOR DATA PROTECTION

Regular testing, assessing and evaluation

All the measures and policies should be reviewed, evaluated and adopted on a yearly basis.


Granting and revoking authorizations or accesses

The purpose of a policy of granting and revoking authorizations or accesses is to reduce the chances of unauthorised logical access to the information system (IS), data and information.


Authorization shall be:

  • triggered by an individual or it’s defined in the work scope of the employee;

  • approved by an authorised person or company director;

  • access is then granted by the System Administrator;

  • the employee must sign a statement of responsibility as it is defined for all secure premises or IS.

Withdrawal of authorization shall be:

  • initiated by an authorised person or upon termination of a contract of employment or business cooperation;

  • the accesses are taken away by the System Administrator;

  • resignation statements must be signed.

The mandatory steps for new employees

  • Devices owned by the company need to be enrolled in a central MDM solution


Software that is mandatory for company-owned devices

  • MDM - Mobile device management 

  • EDR - Endpoint Detection and Response

  • SIEM - central collection of log files

  • Vulnerability management


Physical access policy

The offices are protected by access control and a mechanical lock.

All access to certain predefined premises shall be recorded in the central system of the Organization which only authorised persons have access to. 


The entire facility including the office is protected by an alarm system activated by the last authorised person upon departure from the office and switched off by the first authorised person upon arrival at the office.

Allocation of alarm codes is done by the director or therefore by an authorised person. Upon receipt of the alarm, the person signs the reverse and commits to protecting access and information.

Archive room, server room and Co-location of server infrastructure are specially protected. Only persons authorised by the company director have access. The authorised person must sign the Statement of Awareness of the Privacy Policy and must comply with the Privacy and Confidentiality Policy. Entry by unauthorised persons is prohibited and disabled.  

Access to Source Data: Only authorised persons have access to the source data.

Saving Data Copies: The copies are stored in specially protected premises.


Company data storage:  Users must store company data to the company-approved storage Google Drive. It is not permitted to use removable storage or local storage devices.


Destruction/Deletion of Data


Destruction of Data Copies: To delete data from computer media, such a method of erasure shall be used to make it impossible to restore all or part of the deleted data.


Personal data contained on traditional media (documents, files, register, lists, ...) are erased by destruction of the media. The beams are physically destroyed (cut) at the premises of the Organization.


Digital media (hard drives, USB sticks) are physically destroyed after the end of their useful life. Carriers are permanently destroyed (drilled, cut, ...) by a technical and maintenance worker (system administrator).


With care and diligence laid down in this policy for the destruction of personal data kept in databases or on individual media, the supporting documentation must also be deleted and destroyed.


When the destruction of the storage media takes place outside the premises of the Organization, the destruction must be attended by at least two persons who must make a record containing the following information:

  • what was destroyed,

  • when it was destroyed,

  • and signature of those present.

Control of Company Network Access


Secured networks:

Wireless access to the network is protected by WPA2 + AES and by registering the device into routers (MAC authentication). A random device that knows the password cannot connect to the IT network.


Guest access:

Guest access is a separate IT network that is not connected to the central IT networks of the Organization. The network is protected by WPA2 + AES and device isolation.

The network is free for use by all company guests and employees (third parties) who can access the network only by entering a password. The password is changed once a year.

Remote access:

Remote access is possible via VPN, where:

  • access is granted only to persons who have been granted such access by an authorised person and have signed the provisions of such access;

  • user authentication is possible  with a password and a digital certificate;

  • each access is logged on the servers and kept for at least 3 months.


IS Change Control Policy

Installing the Software:

To avoid system malfunctions and reduce security vulnerabilities:

  • compliance with all licensed terms of the software is expected.

  • only software approved by the system administration may be installed.

  • Software that has been whitelisted in the MDM  can be installed.

  • Employees do not have rights to install software.

Technical measurements and description of IS

Development environment:

  • The production environment is not accessible from the development environment.

  • Development is done using test and anonymized data (no individual can be identified).

Test environment:

  • Staging is primarily intended for the manual testing of new IS functionality before upgrading the production environment.

  • Access to production is not possible from the test environment.

  • Data is test data and anonymized; the server infrastructure is duplicated.

  • This environment is also used to introduce new functionalities to our business partners.

  • Only ISPs can be upgraded to the test environment (Technical Director, Team Leaders).

  • The entire development team has access to the environment.

Production environment:

  • Access is restricted to technical directors, development team leaders and system administrators only.

  • IS upgrade in this environment can only be done after thorough automatic and manual IS testing in the development and test environment.

Audit trail policy

The aim is to ensure traceability of data in cases of misuse. To the extent possible:

  • It must be on to record historical changes to data that cannot be modified by an individual.

  • All system accesses are recorded in fixed system logs.

Responsibility for turning on and controlling systems or functionality for monitoring audit trails is:

  • System Administrator for System / Infrastructure Access.

  • ITDirector for IS Change.

  • Cybersecurity Director for investigating possible incidents.

  • Chief PeopleOfficer for Employee Documentation.

Password management and security policy

Employees must access a variety of IT resources, including computers and other hardware devices, data storage systems, and other accounts. Passwords are a key part of IT’s strategy to make sure only authorised people can access those resources and data. All employees who have access to any of those resources are responsible for choosing strong passwords or passphrases (where available) and protecting their log-in information from unauthorised people.


Malware protection policy

Device protection: All devices that have this feature and are a frequent target of attacks should have the latest antivirus protection installed, which should be updated regularly and automatically.


Protecting IT infrastructure

Firewall

On a secure network as well as on the server infrastructure an active firewall must be installed that operates on a whitelist principle and allows outbound traffic only through designated exit routes (ports). The restriction applies to both secure networked areas and the guest network.



Get in touch
If you're a digital media platform looking to expand internationally, an advertiser looking to reach over 3 billion consumers globally or anyone else seeking digital media solutions, contact us and we'll be in touch about how Aleph can help you grow your business and reach.
Contact us