Data Processing Addendum

Last updated: May 9, 2026 · Effective date: May 9, 2026 · Version 1.0

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer", acting as data controller / data exporter) and Adsup Pro LLC, a Wyoming limited liability company ("AdsUp", acting as data processor / data importer), and applies whenever AdsUp processes Personal Data on behalf of Customer through the AdsUp Service.

This DPA is automatically applicable to Customers subject to GDPR, UK GDPR, Swiss revFADP, Brazilian LGPD, Indonesian UU PDP, or any other data protection law that imposes processor obligations. By using the Service, Customer accepts this DPA on behalf of itself and its Affiliates that use the Service.

1. Definitions

Capitalized terms not defined here have the meanings given in the GDPR, UK GDPR, LGPD, PDP, or the Terms, as applicable.

  • "Applicable Data Protection Law" means any law applicable to the processing of Personal Data, including GDPR (Regulation (EU) 2016/679), UK GDPR, Swiss revFADP, LGPD (Law 13.709/2018), UU PDP (Law 27/2022), CCPA/CPRA, and equivalents.
  • "Customer Personal Data" means Personal Data processed by AdsUp on behalf of Customer through the Service.
  • "Data Subject", "Personal Data", "Processing", "Controller", "Processor", "Sub-processor" have the meanings given in GDPR Art. 4.
  • "EU SCCs" means the Standard Contractual Clauses approved by EU Commission Decision 2021/914 of 4 June 2021.
  • "UK IDTA" means the UK International Data Transfer Addendum issued by the ICO under section 119A of the UK Data Protection Act 2018, in force from 21 March 2022.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

2. Roles & Scope

For Customer Personal Data, Customer is the Controller and AdsUp is the Processor. For account data, billing data, and usage telemetry directly relating to Customer and its authorized users, AdsUp is an independent Controller, governed by the Privacy Policy.

Subject matter, duration, nature and purpose, types of Personal Data, and categories of Data Subjects are described in Annex I.

3. Customer Instructions

AdsUp shall process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required by applicable law (in which case AdsUp shall, where legally permitted, inform Customer of that legal requirement before processing). Customer's use of the Service constitutes its instructions to AdsUp to process Customer Personal Data as necessary to provide the Service. Customer is responsible for ensuring that its instructions, and the underlying processing, comply with Applicable Data Protection Law.

AdsUp shall promptly inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. Confidentiality & Personnel

AdsUp shall ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and have received training on their data-protection responsibilities. Access is granted on a need-to-know basis and is logged and reviewed periodically.

5. Security (GDPR Art. 32)

AdsUp shall implement and maintain technical and organizational measures (TOMs) appropriate to the risk, as described in Annex II and in our Security Overview. AdsUp shall regularly test, assess, and evaluate the effectiveness of those measures.

6. Sub-processors

Customer grants AdsUp general written authorization to engage Sub-processors to perform processing on Customer's behalf, subject to the conditions in this Section. The current list is at /sub-processors and is updated from time to time.

AdsUp shall (a) impose on each Sub-processor data-protection obligations no less protective than those in this DPA; (b) remain responsible to Customer for any breach by a Sub-processor; and (c) provide at least 30 days' advance notice of new or replacement Sub-processors by updating the list and, on request, by email subscription.

Right to object. Customer may object on reasonable data-protection grounds within 30 days of notification. The parties will work in good faith to find a solution; if none is found, Customer may terminate the affected portion of the Service for a pro-rata refund of unused prepaid fees relating to those portions.

7. International Transfers

Where Customer Personal Data originating from the EEA, UK, or Switzerland is transferred to a country not deemed adequate, the parties agree that:

  • The EU SCCs Module 2 (Controller to Processor) are incorporated by reference, with the elections set out in Annex III;
  • Where Customer is located outside the EEA but transfers EEA Personal Data, Module 4 (Processor to Controller) applies for return of data;
  • For UK transfers, the UK IDTA is incorporated, with details in Annex IV;
  • For Swiss transfers, the EU SCCs apply with the modifications required by the Swiss FDPIC.

Transfer Impact Assessment. AdsUp has conducted a TIA covering the U.S. legal regime (FISA 702, EO 12333) and concluded that, in conjunction with the technical measures in Annex II (encryption, access controls, opposition to over-broad governmental requests), the transfers offer essentially equivalent protection. The TIA is available on written request to privacy@adsup.pro.

8. Data Subject Rights

AdsUp shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection, withdrawal of consent). Where AdsUp receives a Data Subject request directly, AdsUp shall (where lawfully permitted) forward the request to Customer without undue delay.

9. Personal Data Breach Notification

AdsUp shall notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting Customer Personal Data. The notification shall include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.

AdsUp shall reasonably cooperate with Customer in investigating, mitigating, and remediating breaches.

10. Audits

AdsUp shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits conducted by Customer or an independent auditor mandated by Customer. To minimize disruption:

  • Customer shall give at least 30 days' prior written notice;
  • Audits shall be conducted no more than once per twelve-month period, except after a Personal Data Breach or as required by a regulator;
  • Customer shall reimburse reasonable costs and ensure auditors execute confidentiality agreements;
  • AdsUp may satisfy audit obligations by providing copies of relevant third-party audit reports (e.g. SOC 2, ISO 27001 when obtained).

11. Return & Deletion of Data

On termination or expiry of the Service, and on Customer's written request, AdsUp shall, at Customer's choice, return or delete all Customer Personal Data, including copies, except where applicable law requires storage. Default deletion timeline is described in the Privacy Policy (typically within 30 days after termination, with backups expiring within an additional 35 days).

12. Government Access Requests

AdsUp shall, where lawfully permitted, (a) review the validity of any government access request before disclosing data, (b) challenge requests it considers over-broad, and (c) notify Customer of any binding access request received relating to Customer Personal Data. Where notification is prohibited by law (e.g. a gag order), AdsUp shall use reasonable efforts to challenge the prohibition. AdsUp shall publish an annual transparency report aggregating government requests received.

13. Liability

The liability provisions of the Terms (Section 14, including caps and exclusions) apply to claims under this DPA, except where Applicable Data Protection Law imposes a different mandatory liability framework that cannot be contractually limited.

14. LGPD Annex (Brazil)

For processing of Personal Data subject to LGPD: Customer is the Controller and AdsUp is the Operator (Operador) under LGPD Art. 5. ANPD-issued model clauses are incorporated by reference to the extent issued and applicable. ANPD is the relevant authority.

15. UU PDP Annex (Indonesia)

For processing subject to Indonesian UU PDP No. 27/2022: Customer is the Personal Data Controller (Pengendali Data Pribadi) and AdsUp is the Personal Data Processor (Prosesor Data Pribadi). Breach notification to the affected Data Subject and the competent authority shall occur within 3 × 24 hours of awareness.

16. Order of Precedence

In the event of conflict, the order of precedence is: (1) the EU SCCs / UK IDTA where they apply, (2) this DPA, (3) the Terms of Service, (4) any prior agreement between the parties.

Annex I — Description of Processing

  • Subject matter: processing of Personal Data necessary to provide the AdsUp Service.
  • Duration: for the term of the Customer's subscription plus retention periods set out in the Privacy Policy.
  • Nature and purpose: account management, AI-assisted content creation, ad campaign management, social media publishing, customer-message handling, analytics, billing.
  • Types of Personal Data: contact details, account credentials, content of messages and posts, audience identifiers, transactional metadata, usage telemetry, billing data.
  • Categories of Data Subjects: Customer's authorized users, Customer's end customers, leads, audience members, message senders.
  • Frequency: continuous for the term.
  • Special-category data: none expected; Customer must not submit special-category data without first ensuring lawful basis.

Annex II — Technical & Organizational Measures (Summary)

  • OAuth tokens encrypted at rest using AES-256-GCM with dedicated keys;
  • TLS 1.2+ for all data in transit; HSTS enabled;
  • Bcrypt password hashing;
  • Role-based access control with least privilege;
  • Multi-factor authentication for production access;
  • Per-business ownership scoping in all queries;
  • Daily backups with retention windows;
  • Centralized logging, monitoring, and alerting (GlitchTip self-hosted);
  • Incident response plan with on-call rotation;
  • Sub-processor due diligence, monitoring, and contractual security obligations;
  • Vulnerability disclosure channel at security@adsup.pro;
  • Personnel confidentiality obligations and security training.

See /security for current details.

Annex III — EU SCCs Election (Module 2)

  • Clause 7 (Docking clause): applicable.
  • Clause 9 (Sub-processors): Option 2 (general written authorization) with 30-day notice.
  • Clause 11 (Redress): the optional language is not included.
  • Clause 17 (Governing law): the law of the Republic of Ireland.
  • Clause 18 (Forum): courts of Ireland.
  • Annex I.A. List of Parties: as identified in the Terms.
  • Annex I.B. Description of Transfer: as set out in Annex I above.
  • Annex I.C. Competent Supervisory Authority: the supervisory authority of Ireland (DPC) where Customer's lead authority is not otherwise determined.
  • Annex II: as set out in Annex II above.
  • Annex III. List of Sub-processors: as published at /sub-processors.

Annex IV — UK IDTA (Tables)

  • Table 1 (Parties): Customer (Exporter) and AdsUp Pro LLC (Importer), as identified in the Terms.
  • Table 2 (Selected SCCs, Modules & Selected Clauses): EU SCCs Module 2, with the elections in Annex III.
  • Table 3 (Appendix Information): as in Annex I and Annex II.
  • Table 4 (Ending the Addendum): either party may end the IDTA as permitted by Section 19 of the IDTA.

Contact

Privacy: privacy@adsup.pro · Security: security@adsup.pro · Legal: legal@adsup.pro

← Back to HomeTermsPrivacySub-processorsSecurity