Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service, Master Subscription Agreement, Order Form, or other agreement governing the provision of services by ContentAdviser.io ("Agreement") between:

This DPA governs the Processing of Personal Data by ContentAdviser.io on behalf of Customer in connection with the Services.

1. Definitions

Unless otherwise defined herein, capitalized terms have the meanings assigned under the GDPR.

2. Scope and Relationship of the Parties

Customer acts as the Controller of Personal Data processed through the Services. ContentAdviser acts as the Processor. Each party shall comply with Applicable Data Protection Laws regarding its respective obligations. Nothing in this DPA relieves either party from its own direct responsibilities under Applicable Data Protection Laws.

3. Customer Instructions

ContentAdviser shall Process Personal Data only:

• On documented instructions from Customer;
• As necessary to provide the Services;
• To comply with applicable law;
• As otherwise permitted by this DPA.

The Agreement, Customer configuration settings, API calls, and use of the Services constitute Customer's documented instructions. If Processor believes an instruction violates Applicable Data Protection Laws, Processor may notify Customer and suspend execution of the instruction until clarified.

4. Details of Processing

5. Confidentiality

ContentAdviser shall ensure that all personnel authorized to Process Personal Data are bound by confidentiality obligations, receive appropriate privacy and security training, and access Personal Data only as necessary for their duties. Confidentiality obligations shall survive termination of employment or engagement.

6. Security Measures

ContentAdviser shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, accidental loss, destruction, alteration, or disclosure.

Measures may include:

• Encryption in transit
• Access controls
• Multi-factor authentication
• Network security controls
• Monitoring and logging
• Vulnerability management
• Secure development practices
• Incident response procedures

Security measures may evolve as technology and threats change.

7. Subprocessors

Customer authorizes ContentAdviser to engage Subprocessors. Current subprocessors may include providers of:

• Cloud hosting
• Infrastructure services
• Customer support
• Monitoring
• Email delivery
• Analytics
• Payment processing
• AI model providers

ContentAdviser shall maintain an up-to-date Subprocessor List, require subprocessors to provide data protection commitments substantially similar to this DPA, and remain responsible for subprocessor compliance obligations related to Personal Data processing.

8. Changes to Subprocessors

ContentAdviser may update subprocessors from time to time. Where legally required, Customer may be notified of material subprocessor changes. Customer may object on reasonable data protection grounds within thirty (30) days of notice. If the parties cannot resolve the objection, Customer may terminate the affected Services.

9. Assistance with Data Subject Requests

To the extent reasonably possible and considering the nature of Processing, ContentAdviser shall assist Customer in responding to requests concerning:

• Access
• Rectification
• Erasure
• Restriction
• Portability
• Objection
• Automated decision-making rights

If ContentAdviser receives a request directly from a Data Subject, it shall refer the Data Subject to Customer whenever feasible and not respond except as legally required.

10. Assistance with Compliance Obligations

ContentAdviser shall reasonably assist Customer with:

• Data protection impact assessments (DPIAs)
• Regulatory consultations
• Security evaluations
• Breach notifications
• Compliance obligations under Applicable Data Protection Laws

Such assistance may be subject to reasonable fees where extensive efforts are required.

11. Personal Data Breaches

ContentAdviser shall notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

Notification shall include, where available:

• Nature of the breach
• Categories of affected data
• Likely consequences
• Mitigation measures taken or proposed

ContentAdviser shall investigate and take reasonable measures to mitigate the effects of the breach.

12. Audits and Inspections

Upon reasonable written request and no more than once annually, Customer may request information reasonably necessary to demonstrate compliance with this DPA. ContentAdviser may satisfy audit requirements through security reports, certifications, independent audit reports, or compliance documentation.

Direct audits shall require reasonable advance notice, be conducted during normal business hours, avoid disruption of operations, and protect confidentiality of other customers. Customer shall bear its own audit costs.

13. International Transfers

Customer authorizes ContentAdviser to transfer Personal Data internationally as necessary to provide the Services. Where required, transfers shall be protected through one or more lawful mechanisms, including:

• European Commission Standard Contractual Clauses (SCCs)
• UK International Data Transfer Addendum
• Adequacy decisions
• Other approved transfer mechanisms

The SCCs are incorporated by reference into this DPA where applicable.

14. Return and Deletion of Data

Upon termination of the Services and upon Customer request, ContentAdviser shall return or delete Customer Personal Data, unless retention is required by law. Backup copies may remain until routine deletion cycles are completed.

15. AI Processing Provisions

16. CCPA/CPRA Service Provider Terms

To the extent applicable, ContentAdviser acts as a Service Provider or Contractor under CCPA/CPRA. ContentAdviser shall:

• Process Personal Information solely for Business Purposes;
• Not sell Personal Information;
• Not share Personal Information for cross-context behavioral advertising;
• Not retain, use, or disclose Personal Information outside the direct business relationship except as permitted by law;
• Comply with applicable CCPA/CPRA requirements.

17. Liability

Liability under this DPA shall be governed by the liability provisions contained in the Agreement. Nothing in this DPA limits liability where such limitation is prohibited by Applicable Data Protection Laws.

18. Governing Law

This DPA shall be governed by the governing law specified in the Agreement. Where SCCs require otherwise, SCC-required governing law provisions shall apply solely to the SCCs.

19. Order of Precedence

In the event of conflict, the following shall prevail in order solely regarding data protection matters:

20. Contact Information

For privacy and data protection matters: