This Data Processing Addendum ("DPA") forms part of the Terms of Service and Customer Subscription and Services Agreement between the customer ("Customer") and AdIQ ("AdIQ"). It applies where AdIQ processes Personal Data on Customer's behalf in providing the Services. "Personal Data," "Controller," "Processor," "Business," "Service Provider," and similar terms have the meanings given under applicable data-protection law, including the GDPR/UK GDPR and the California Consumer Privacy Act as amended by the CPRA ("CCPA").
For Personal Data of Customer's own customers and leads that Customer provides or that is collected through the Services on Customer's behalf, Customer is the Controller/Business and AdIQ is the Processor/Service Provider. AdIQ processes such Personal Data only to provide the Services and on Customer's documented instructions (which include this DPA and the Agreement), and not for AdIQ's own commercial purposes.
To the extent the CCPA applies, AdIQ acts as a Service Provider. AdIQ will not sell or share Personal Data, will not retain, use, or disclose it except to perform the Services or as permitted by the CCPA, and will not combine it with data from other sources except as the CCPA allows. AdIQ certifies it understands and will comply with these restrictions.
Customer authorizes AdIQ to engage subprocessors to provide the Services. A current list is published at adiq.com/subprocessors. AdIQ imposes data-protection obligations on each subprocessor that are materially no less protective than this DPA and remains responsible for their performance. AdIQ will provide a mechanism to be notified of new subprocessors and a reasonable period to object.
AdIQ maintains measures appropriate to the risk, including encryption in transit (TLS), access controls and least-privilege, multi-factor authentication for administrative access, network and application hardening, logging and monitoring, and periodic review. Payment card data is handled by PCI-compliant payment processors and is not stored by AdIQ in raw form.
AdIQ will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's Personal Data, and will provide information reasonably available to assist Customer in meeting its own notification obligations.
AdIQ stores Personal Data on infrastructure located in the United States. Where Personal Data is transferred from the EEA, UK, or Switzerland, the parties agree that the applicable Standard Contractual Clauses (and UK Addendum) are incorporated by reference and apply to such transfers.
On termination of the Services, AdIQ will, at Customer's choice and where technically feasible, return or delete Customer's Personal Data, subject to retention required by law and to standard backup cycles, after which data is deleted in the ordinary course.
AdIQ will respond to reasonable audit or information requests, which may be satisfied by existing reports or documentation. In the event of a conflict on data-protection matters, this DPA controls over the Agreement. Questions: legal [at] adiq.com, AdIQ.