Data Processing Addendum (Controller → Processor)

1. Definitions

• Applicable Data Protection Law: laws on privacy/data protection, including EU GDPR and UK GDPR.
• EU GDPR: Regulation (EU) 2016/679.

  EU/EEA Representative (Art. 27)

  eurep.ie
  27 Cork Road, Midleton Co. Cork, Ireland (A form through which to make GDPR requests)

  We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation (“GDPR”). All GDPR queries from EU Data Subjects or Data Protection authorities should be submitted to eurep.ie via their dedicated form. BizLegal Ltd trading as EU Rep have their registered office at 27 Cork Road, Midleton Co. Cork, Ireland. Company number 635921.

• UK GDPR: EU GDPR as retained in UK law.
• Personal Data: information relating to an identified or identifiable natural person processed under the Agreement.
• Process/Processing: as defined by GDPR. • Sub-processor: any processor engaged by AdCast.
• Customer Personal Data: Personal Data for which Customer is Controller and which AdCast Processes on Customer’s behalf.
• Services: AdCast services under the Agreement (e.g., AdCast Player, dashboards, APIs, support).

2. Scope and Roles

(a) For Processing of Customer Personal Data, Customer is Controller and AdCast is Processor.

(b) This DPA does not apply where AdCast acts as an independent controller (e.g., AdCast website analytics, billing, account administration). That is covered in AdCast’s Privacy Policy.

3. Customer Instructions

(a) AdCast shall Process Customer Personal Data only on documented instructions from Customer, including regarding international transfers, unless required by law (in which case AdCast will inform Customer unless prohibited).

(b) Customer instructs AdCast to Process Customer Personal Data as needed to provide the Services, manage security, provide support/maintenance, and comply with law, as described in Annex I(B).

(c) Customer is responsible for the lawfulness of its instructions and will not instruct AdCast to act unlawfully.

4. Confidentiality

AdCast ensures persons authorized to Process Customer Personal Data are under appropriate confidentiality obligations (contractual/statutory).

5. Security

(a) AdCast implements and maintains appropriate technical and organizational measures (TOMs) considering the state of the art, costs, nature and purposes of Processing, and risk to data subjects; see Annex II.

(b) Customer is responsible for measures under its control (e.g., user access, secure configuration, optional customer-side encryption).

6. Sub-processors

(a) Authorization: Customer gives general authorization for AdCast to engage Sub-processors. Current Sub-processors: Annex III.

(b) New Sub-processors & Notice: AdCast will provide prior notice of intended changes to Sub-processors, allowing Customer to object on reasonable data-protection grounds. If unresolved, Customer may terminate the affected Services as sole remedy.

(c) Flow-down: AdCast imposes obligations on Sub-processors no less protective than this DPA.

(d) Liability: AdCast remains responsible for Sub-processors’ performance of their data-protection obligations.

7. Assistance; DPIAs; Audits

(a) Data Subject Requests: Taking account of Processing, AdCast assists Customer by appropriate measures to fulfil requests under law; if AdCast receives a request directly, it will forward it to Customer unless legally prohibited.

(b) DPIAs & Prior Consultation: AdCast provides reasonable cooperation for Customer’s DPIAs/prior consultations given the nature of Processing and information available to AdCast.

(c) Audits: AdCast makes available information to demonstrate compliance and allows reasonable audits once per 12 months (except after a Security Incident or as required by a regulator). Audits require 30-day notice, normal business hours, minimal disruption, confidentiality, and first rely on third-party reports/certifications (e.g., SOC 2/ISO 27001) before any on-site visit. Customer bears costs unless a material breach is found.

8. Personal Data Breach Notification

AdCast will notify Customer without undue delay (and no later than 48 hours after becoming aware) of a confirmed Personal Data Breach affecting Customer Personal Data, including known details, likely consequences, measures taken/proposed, and a contact point, followed by updates as information emerges.

9. Return and Deletion

Upon termination/expiry of Services, upon Customer’s request, AdCast will delete or return all Customer Personal Data and delete existing copies within 30 days, unless law requires retention (in which case AdCast securely isolates/protects such data).

10. International Data Transfers

(a) AdCast may transfer and Process Customer Personal Data outside the EEA/UK as necessary to provide the Services, subject to Chapter V safeguards.

(b) For EEA→third country transfers without adequacy, the parties rely on the EU SCCs (2021/914) Module 2 (Controller→Processor) as set out in Annex I. For UK transfers, the UK International Data Transfer Addendum applies.

(c) Where applicable, AdCast may also rely on participation in an adequacy framework (e.g., EU–US DPF) in addition to SCCs.

11. Liability and Conflict

(a) Each party’s aggregate liability under this DPA is limited by the Agreement’s liability terms.

(b) In case of conflict: this DPA prevails over the Agreement for data-protection matters; the SCCs/UK Addendum prevail over this DPA where applicable.

12. Miscellaneous

This DPA is governed by the Agreement’s law, except the SCCs/UK Addendum require their own governing law/jurisdiction as selected therein. If any provision is invalid, the remainder remains effective. Electronic execution is permitted.

Annex I — SCC Appendix (Art. 28(3) Details)

A. List of Parties

• Data Exporter (Controller): Customer (per Agreement). Contact: as provided in Order/Agreement.
• Data Importer (Processor): AdCast LLC, 75 E 3rd St Ste 7, Sheridan, WY 82801, USA. Contact: privacy@adcast.app.

B. Description of Processing/Transfer

• Subject matter: Provision of Services (AdCast Player, dashboards, APIs, support, hosting, telemetry Processing).
• Duration: Term of the Agreement + post-termination period for return/deletion.
• Nature & purpose: Hosting/storage; transmission; structuring; analysis/reporting of service telemetry; support; security/incident response.
• Data subjects: Customer’s users/admins; Customer’s personnel; display operators; viewers indirectly via device telemetry (no direct identification by AdCast unless provided by Customer).
• Categories of data: Name, email (for authorized users); device/display IDs; IP address; telemetry events/timestamps; support content; configuration metadata. Customer may submit additional categories.
• Sensitive data: Not intended. Customer will avoid submitting special categories; if unavoidable, heightened protections apply.
• Frequency: Continuous/as needed.
• Retention: Per Section 9 and Annex II.
• Supervisory authority: Authority of the exporter’s main establishment (or representative’s Member State).

C. SCC Clause Selections (Module 2)

• Clause 7 (Docking): Enabled.
• Clause 9 (Sub-processors): General authorization with notice/objection per Section 6.
• Clause 11 (Redress): Not applicable.
• Clause 17 (Governing law): Ireland (or another EU Member State mutually agreed).
• Clause 18 (Forum/jurisdiction): Dublin, Ireland (or the Member State chosen under Clause 17).

The full text of the EU SCCs (2021/914) Module 2 and the UK Addendum are incorporated by reference. A countersigned copy can be provided on request.

Annex II — Technical & Organizational Measures (TOMs)

1. Organizational Security: policies; roles/responsibilities; confidentiality; training.
2. Access Control & Identity: least privilege; RBAC; MFA; SSO; periodic reviews; session controls.
3. Physical & Environmental: industry-standard data centers (e.g., AWS) with physical security and environmental safeguards.
4. Data Protection: encryption in transit (TLS 1.2+) and at rest; key management; data minimization; logical segregation; secure deletion.
5. Operations: hardening; patch/vulnerability management; change management; EDR/antimalware; logging/monitoring; alerting.
6. Development & Change: secure SDLC; code review; dependency scanning; secrets management; CI/CD with approvals; staged rollouts.
7. Incident Response: IR plan; logging/forensics; 24×7 on-call; breach notification per Section 8; post-incident reviews.
8. Business Continuity/DR: backups; geographically diverse infrastructure where appropriate; DR plans; restore tests.
9. Vendor/Sub-processor Management: due diligence; DPAs/SCCs; monitoring; contractual flow-down.
10. Audits/Certifications: third-party assessments (e.g., SOC 2/ISO 27001) where applicable; penetration tests; remediation tracking.

Annex III — Authorized Sub-processors

AdCast currently uses the following Sub-processors (subject to change with notice to Customer as required by the DPA):

Annex IV — UK Addendum (Summary)

For transfers from the UK to third countries without adequacy, the parties adopt the ICO International Data Transfer Addendum to the EU SCCs (Addendum B.1.0), incorporated by reference with the following selections:

• Table 1 (Parties): As in Annex I(A).
• Table 2 (Selected SCCs): EU 2021/914 Module 2.
• Table 3 (Appendix Information): As in Annex I and Annex II of this DPA.
• Table 4: The Addendum updates to the latest version unless otherwise agreed.