Data Processing Agreement (DPA)

Last updated: December 2025

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between AdsDetective ("Processor") and the Customer ("Controller") and governs the processing of personal data in accordance with the General Data Protection Regulation (GDPR).

2. Definitions

  • "Personal Data": Any information relating to an identified or identifiable natural person.
  • "Processing": Any operation performed on personal data, including collection, storage, use, and deletion.
  • "Controller": The entity that determines the purposes and means of processing personal data (Customer).
  • "Processor": The entity that processes personal data on behalf of the Controller (AdsDetective).
  • "Sub-processor": Any third party engaged by the Processor to process personal data.

3. Scope of Processing

AdsDetective processes personal data for the following purposes:
  • Aggregating advertising performance data from connected platforms
  • Generating analytics reports and insights
  • Providing alerting and notification services
  • User authentication and account management

4. Data Categories

The following categories of personal data may be processed:
  • User account information (name, email)
  • Advertising account identifiers
  • Campaign and ad performance metrics
  • OAuth access tokens (encrypted)
  • Usage logs and audit trails

5. Processor Obligations

AdsDetective agrees to:
  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with prior authorization
  • Assist the Controller with data subject requests
  • Delete or return personal data upon termination
  • Make available information necessary for compliance audits

6. Security Measures

AdsDetective implements the following security measures:
  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Incident response and breach notification procedures
  • Employee security training and awareness programs
  • Physical security controls for data centers

7. Sub-processors

AdsDetective uses the following sub-processors:
  • Auth0 (Okta) - Authentication services - USA/EU
  • Google Cloud Platform - Cloud infrastructure - EU
  • Lemon Squeezy - Payment processing - USA
  • Cookiebot - Cookie consent management - EU
The Controller authorizes the use of these sub-processors. AdsDetective will notify the Controller of any changes to sub-processors.

8. Data Subject Rights

AdsDetective will assist the Controller in responding to data subject requests including:
  • Access requests (Article 15)
  • Rectification requests (Article 16)
  • Erasure requests (Article 17)
  • Restriction requests (Article 18)
  • Data portability requests (Article 20)
  • Objection requests (Article 21)

9. Data Breach Notification

In the event of a personal data breach, AdsDetective will:
  • Notify the Controller without undue delay (within 72 hours)
  • Provide details of the breach and affected data
  • Describe measures taken to address the breach
  • Cooperate with the Controller and supervisory authorities

10. International Transfers

For transfers of personal data outside the EEA, AdsDetective relies on:
  • EU-US Data Privacy Framework (for US-based sub-processors)
  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the European Commission

11. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, AdsDetective will delete or return all personal data within 30 days, unless retention is required by law.

12. Contact

For DPA-related inquiries, contact our Data Protection Officer:
dpo@adsdetective.com