Log in Sign up
Log in Sign up

Data Processing Addendum (DPA)

Version: 2026.1

Effective Date: January 2026

This Data Processing Addendum (“DPA”) forms part of the Master Service Agreement or Terms of Service (the “Agreement”) between Three Spring Media LTD (operating as “LightAd” or “Processor”) and the entity subscribing to the LightAd Services (“Customer” or “Controller”).

1. Definitions

  • “Data Protection Laws” means all applicable laws, including the EU/UK GDPR, the California Privacy Rights Act (CPRA), and other US state privacy laws as of 2026.
  • “Personal Data” means any information relating to an identified or identifiable natural person processed by LightAd on behalf of the Customer, including online identifiers (IP addresses, MAIDs, cookie IDs) and TCF signals.
  • “TCF” means the IAB Europe Transparency & Consent Framework, specifically version 2.3 and subsequent updates.

2. Scope and Role

2.1 Roles: Customer acts as the Data Controller (determining the purpose of the ad campaign) and LightAd acts as the Data Processor (executing the campaign via the Platform).

2.2 Instructions: LightAd shall process Personal Data only on the documented instructions of the Customer, which include the settings and configurations within the Platform.

3. Processor Obligations

3.1 Confidentiality: LightAd ensures that all personnel authorized to process Personal Data are committed to strict confidentiality.

3.2 Security: LightAd shall implement technical and organizational measures as required by Article 32 GDPR, including encryption of data at rest and in transit, and active fraud detection.

3.3 TCF Compliance: LightAd warrants that it is a registered Vendor on the IAB Global Vendor List (GVL) and technically enforces TCF 2.3 signals, including the mandatory “Disclosed Vendors” bit check.

4. Sub-processors

4.1 General Authorization: Customer provides general authorization for LightAd to engage sub-processors (e.g., AWS, Snowflake, Fraud-prevention vendors).

4.2 Notification: LightAd shall maintain an up-to-date list of sub-processors and notify Customer of any changes via the Platform or email 30 days in advance.

5. Data Subject Rights

5.1 Assistance: Taking into account the nature of ad-tech processing, LightAd shall provide reasonable assistance to help customers respond to requests from individuals (e.g., “Right to be Forgotten”).

5.2 Requests: If LightAd receives a request directly from a data subject, it will redirect the individual to the Customer where possible.

6. International Transfers

6.1 Mechanism: Transfers of data from the EEA/UK to countries without an adequacy decision (e.g., certain US entities not certified under the DPF) shall be governed by the Standard Contractual Clauses (SCCs), which are hereby incorporated by reference.

7. Breach Notification

7.1 Timeline: LightAd shall notify Customer without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer’s data.

8. Deletion and Return

8.1 Policy: Upon termination of the Agreement, LightAd shall delete all Personal Data within 60 days, unless legal obligations require retention. Aggregated, anonymized data may be retained for reporting purposes.

Schedule 1: Details of Processing

  • Subject Matter: Delivery of programmatic advertising.
  • Duration: The term of the Agreement plus the standard retention period (max 13 months).
  • Nature: Real-time bidding (RTB), frequency capping, and ad measurement.
  • Categories of Data: IP addresses, Mobile Advertising IDs (IDFA/AAID), browser characteristics, and interaction data (clicks/views).

Schedule 2: Technical and Organizational Measures

  • Encryption: TLS 1.3 for data in transit; AES-256 for data at rest.
  • Access Control: Multi-factor authentication (MFA) and Role-Based Access Control (RBAC).
  • Audits: Annual security assessments and participation in IAB TCF compliance audits.

ANNEX I — Processing Details (GDPR)

Nature of Processing:

Programmatic advertising services, including bidding, targeting, optimization, reporting, fraud prevention, and billing.

Categories of Data Subjects:

End users of Client’s apps, websites, or CTV properties.

Types of Personal Data:

Online identifiers (e.g., device IDs, IP address), approximate location, event data, consent signals, campaign interaction data.

Purpose of Processing:

Provision and improvement of Services; compliance; fraud prevention; reporting.

ANNEX II — Technical & Organizational Measures

Company maintains security measures appropriate to risk, including access controls, logging, incident response, and internal policies.

Three Spring Media Kft, Vaci Ut 22-24, floor 3, Budapest, Hungary 1132
Three Spring Media LTD, Mivtza Kadesh 19, Raanana, Israel 4331811
Control. Gain Insights.
Boost Your Profit with LightAd DSP.
Follow us
Explore
Keep in touch
Follow us
Our Partners:
Copyright © LightAd 2024 All Rights Reserved
Our Partners:
Our Partners

    Contact us
    Your message will be copied to the support team.

    Thank you!