Table of Contents
This DPA forms part of the Terms of Service or other written agreement between Intelsem LLC d/b/a "AdSights" ("AdSights", "we", "us", "our") and the counterparty identified in the Order Form ("Customer"). Capitalized terms not defined here have the meanings in the Agreement.
This DPA is designed to meet requirements under GDPR/UK GDPR/Swiss FADP and major U.S. state privacy laws (including CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA). It applies only to the extent AdSights processes Personal Data on behalf of Customer as a Processor/Service Provider.
1.1 Scope. This DPA governs AdSights’ Processing of Customer Personal Data on behalf of Customer in providing the Services.
1.2 Roles. For Customer Personal Data, Customer is the Controller/Business (or equivalent) and AdSights is the Processor/Service Provider. AdSights may act as a Controller for its own account, billing, security logs, Site analytics, or similar data as described in the Privacy Policy.
1.3 Order of Precedence. In the event of conflict, the following order applies: (1) applicable Standard Contractual Clauses (SCCs) and UK Addendum/Swiss Addendum (to the extent they apply), (2) this DPA, then (3) the Agreement.
2.1 Instructions. AdSights will Process Customer Personal Data solely on documented instructions from Customer, including as set out in the Agreement, this DPA (including Annexes), Customer’s configuration of the Services, and Customer’s lawful written instructions.
2.2 Nature and Purpose. The nature and purpose of Processing, categories of Data Subjects and Personal Data, duration, and frequency are set out in Annex I.
2.3 Prohibited Use. AdSights will not Sell or Share (as defined by CPRA) Customer Personal Data or use it for cross‑context behavioral advertising or for purposes other than the Business Purpose of providing and improving the Services as permitted by this DPA, subject to the restrictions below.
Controller‑Side Marketing. Nothing in this DPA restricts AdSights, acting as an independent Controller/Business, from Processing: (a) its own Site/app telemetry, prospect lists, or leads acquired independently of this DPA; (b) Customer personnel contact information provided for account administration or marketing communications (subject to Applicable Law and Customer’s preferences); or (c) De‑identified/Aggregated data, to conduct advertising or marketing about AdSights’ services.
3.1 Confidentiality. AdSights will ensure personnel authorized to Process Customer Personal Data are subject to confidentiality obligations and Process such data only as instructed.
3.2 Access Controls. AdSights will limit access to Customer Personal Data to personnel with a need to know for the Business Purpose.
4.1 Security Program. AdSights maintains administrative, technical, and physical safeguards appropriate to the nature of the data and risk, including measures described in Annex II.
4.2 No Absolute Security. Customer acknowledges no method of transmission or storage is 100% secure.
5.1 Authorization. Customer authorizes AdSights to engage and replace Affiliates and third parties as subprocessors to support the Services (e.g., hosting, storage/CDN, compute, support, communications, analytics) in AdSights’ sole discretion. AdSights will impose written obligations on subprocessors that are no less protective in substance than those AdSights applies to itself for similar data under this DPA, and AdSights remains responsible for its obligations under the Agreement and this DPA subject to all disclaimers and limitations therein.
5.2 List & Notice. To the extent required by Applicable Data Protection Law, AdSights will make available a current list of material subprocessors and provide prior notice of additions (e.g., on a web page or via email). AdSights may engage or replace subprocessors without prior notice where operationally necessary or where prior notice is not required by Applicable Data Protection Law.
5.3 Objections & Sole Remedy. If, where permitted by law, Customer reasonably objects in writing to a newly‑added subprocessor based on a good‑faith belief that such engagement would materially degrade the security or compliance of the Services as to Customer, the parties will discuss in good faith. If not resolved within 30 days of AdSights’ receipt of the objection, Customer may disable the affected feature(s) or terminate the affected Order prospectively; no refunds, credits, or other compensation will be due. The foregoing is Customer’s sole and exclusive remedy for any subprocessor objection. Use of Third‑Party Products Customer connects is not a subprocessing engagement by AdSights.
6.1 Cooperation. Taking into account the nature of the Processing and to the extent required by law, AdSights will provide reasonable assistance to Customer to respond to requests to exercise data subject/consumer rights.
6.2 Direct Requests. If AdSights receives a request directly from a data subject that identifies Customer, AdSights will promptly direct the individual to Customer unless prohibited by law. AdSights will not respond to such requests except to confirm receipt and direction.
6.3 Cost Recovery. Assistance that is beyond the ordinary operation of the Services, unusually burdensome, repetitive, or requires bespoke support is subject to reasonable fees at AdSights’ then‑current professional services rates.
7.1 Notice. Upon becoming aware of a Security Incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, AdSights will notify Customer without undue delay (and in any event within 72 hours of confirmation), describe known facts, and take reasonable steps to mitigate and remediate. Notification is not an admission of fault.
7.2 Cooperation. AdSights will provide reasonable information for Customer to meet breach‑notification obligations. Customer is responsible for notifications arising from its own systems or Third‑Party Products.
8.1 Compliance Package. To the extent required by Applicable Data Protection Law, AdSights will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., summaries of independent third‑party audits, certifications, security whitepapers). AdSights may satisfy audit obligations by providing such documentation (the “Compliance Package”).
8.2 On‑Site/Direct Audits. On‑site inspections or direct audits are not permitted except where expressly mandated by Applicable Law or a competent supervisory authority and only after the parties determine the Compliance Package is reasonably insufficient.
Any permitted audit must:
(a) be limited to systems/controls relevant to the Services and Customer Personal Data;
(b) be conducted by an independent, mutually agreed third‑party auditor (not a competitor), under NDA;
(c) occur during normal business hours with at least 30 days' notice;
(d) avoid access to other customers' data and AdSights' trade secrets/source code;
(e) exclude penetration testing or intrusive scans without AdSights' prior written consent; and
(f) be at Customer's sole expense, including AdSights' reasonable internal costs at then‑current professional services rates.
Audits are limited to once in any 12‑month period unless required by a regulator, following a verified material Security Incident affecting Customer Personal Data, or due to a material, uncured breach of this DPA.
9.1 Mechanisms. Where AdSights’ Processing of Customer Personal Data involves a transfer from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows:
- Module 2 (Controller → Processor) where Customer is a Controller and AdSights is a Processor; and/or
- Module 3 (Processor → Processor) where Customer is a Processor and AdSights is a sub‑Processor.
The SCCs are completed as set out in Annex I–III and this Section 9. The docking clause (Clause 7) applies; the competent supervisory authority is determined per GDPR; the governing law/venue for EU SCCs is the law/courts of Ireland unless otherwise specified in Annex I.
9.2 UK & Swiss Addenda. For transfers subject to UK GDPR, the parties incorporate the UK International Data Transfer Addendum (and/or the ICO’s IDTA as applicable) with the SCCs. For Swiss FADP, references to GDPR are construed mutatis mutandis.
9.3 Supplemental Measures. AdSights will implement reasonable supplemental measures as appropriate to the transfer and the Services. If a transfer mechanism is invalidated, the parties will cooperate in good faith to implement an alternative.
10.1 DPIAs & Consultations. Taking into account the nature of Processing and information available to AdSights, we will provide reasonable assistance to Customer with data protection impact assessments and prior consultations required by law. Fees may apply where assistance is outside ordinary operations.
10.2 Records. AdSights will maintain records of Processing of Customer Personal Data as required by law and make them available upon request as part of the Compliance Package.
11.1 Return/Deletion. Upon termination or at Customer’s written request, AdSights will delete or return Customer Personal Data within a commercially reasonable period, unless retention is required by law or permitted for compliance, security, or audit logs. Backups will be overwritten on standard cycles.
11.2 De‑identified/Aggregated Data. AdSights may retain and use De‑identified and/or Aggregated data derived from Customer Personal Data for lawful purposes, provided it cannot reasonably be used to identify Customer or a data subject.
12.1 Service Provider/Processor. AdSights will act as a Service Provider/Processor and will not: (a) Sell or Share Customer Personal Data; (b) retain, use, or disclose it outside the Business Purpose; (c) combine it with Personal Data received from another source except as permitted to perform the Services, for security/integrity, to detect fraud or illegal activity, to comply with law, or to De‑identify/Aggregate it; or (d) use it for cross‑context behavioral advertising.
12.2 Certifications. AdSights certifies it understands and will comply with the restrictions in Section 12.1. Customer is responsible for providing required notices and obtaining consents.
12.3 Consumer Requests. AdSights will assist Customer with consumer requests as described in Section 6. AdSights will promptly notify Customer of any legally binding request for disclosure from law enforcement unless legally prohibited.
AdSights will, to the extent legally permitted, promptly notify Customer of a legally binding request from a public authority for disclosure of Customer Personal Data and will challenge overbroad or unlawful requests. If legally prohibited from notifying, AdSights will seek to obtain a waiver of the prohibition. AdSights will disclose only the minimum amount of data necessary to comply with the request.
14.1 Liability. The limitations and exclusions of liability in the Agreement apply to this DPA and all SCCs/addenda to the maximum extent permitted by law. Nothing in this DPA expands either party’s liability beyond the Agreement.
14.2 Indemnity. Any indemnities apply as set out in the Agreement. This DPA does not create additional indemnities.
14.3 Precedence. If there is a conflict between this DPA and the Agreement, this DPA controls for Processing of Customer Personal Data. If there is a conflict between this DPA and the SCCs/UK/Swiss addenda, the SCCs/addenda control for cross‑border transfers.
15.1 Term. This DPA remains in effect for so long as AdSights Processes Customer Personal Data on behalf of Customer under the Agreement.
15.2 Amendments. AdSights may update this DPA to reflect changes in law or guidance. Material changes will be communicated and, where required, will take effect upon mutual execution or as otherwise required by law.
A. Parties
- Data Exporter: Customer (Controller or Processor on behalf of its controller)
- Address: As set out in the Order Form
- Contact: As set out in the Order Form
- DPO/Representative (if any): Customer to complete
- Data Importer: Intelsem LLC d/b/a AdSights (Processor)
- Address: 50 W Broadway Ste 333 #306374, Salt Lake City, Utah 84101, USA
- Contact: privacy@adsights.ai
- DPO: Emily Luther dpo@adsights.ai
B. Description of Transfer
- Nature & Purpose: Provision of creative analytics and related platform Services; hosting, storage, processing, transmission; security, support, and service improvement as permitted by the Agreement/DPA.
- Categories of Data Subjects: Customer’s employees and contractors; Customer’s clients’ personnel (if applicable); end users featured in or associated with Customer creative assets/metadata.
- Categories of Personal Data: Identifiers (e.g., names, emails, user IDs); account/role information; device/IP/log data; content/metadata included in creative/media files, transcripts/OCR, dense captioning output, feature/label metadata (e.g., objects, scenes, colors, on‑screen text, talent signals), and related timing information, computer vision analysis output, and related timing information; platform performance metrics and campaign metadata; support communications.
- Special Categories/Sensitive Data: Not intended, but may be incidentally included in creative/media at Customer’s discretion. Customer is responsible for restricting such data unless expressly agreed in writing.
- Frequency of Transfer: Continuous and on‑demand as determined by Customer’s configuration.
- Retention: For the Subscription Term and as otherwise permitted by the Agreement/DPA; specific retention is controlled by Customer’s use of the Services and legal requirements.
- Subject Rights: As per the Agreement/DPA.
C. Competent Supervisory Authority (EU SCCs): Determined under Clause 13 of the SCCs; by default IE DPC (Ireland) if not otherwise specified.
D. Subprocessor Authorization: General authorization in accordance with Section 5.
Governance & Policy
- Information security program with risk assessment, policies, and executive oversight.
- Security/privacy training for personnel; access on least‑privilege basis; MFA for privileged access.
Access Controls
- Unique user IDs; role‑based access; periodic access reviews; SSO support where available.
- Strong authentication for production systems; session management; device hygiene standards for admins.
Data Protection
- Encryption in transit (TLS 1.2+); encryption at rest for primary data stores provided by leading cloud providers.
- Data minimization; segregation of environments; hardened images and configuration baselines.
Operations & Monitoring
- Logging and monitoring of security‑relevant events; alerting and incident response runbooks.
- Vulnerability management and patching program; third‑party scanning; change management.
Resilience & Continuity
- Regular backups with tested restoration; geographically redundant cloud infrastructure; business continuity planning and disaster recovery procedures.
Supplier Management
- Security and privacy due diligence for subprocessors; contractual requirements aligned to this DPA; periodic reassessment.
Development Security
- Secure SDLC practices; code review; dependency management; secrets management; separate test/stage/prod environments.
Testing
- Internal testing; external assessments as appropriate; remediation tracking.
Incident Response
- Defined incident response process with roles, escalation, and customer communications.
Scope. This Annex lists third‑party Affiliates and vendors AdSights may engage as subprocessors to support the Services when Processing Customer Personal Data as Processor/Service Provider. It reflects a typical US‑primary setup with no dedicated EU regional hosting enabled at this time. Locations and vendors may evolve; updates will be made in accordance with DPA §5.2 (notice to the extent required by law; AdSights may engage/replace without prior notice where operationally necessary or where prior notice is not legally required).
Processing Locations (today): United States (primary). Providers identified as “Global/Anycast” may route traffic through worldwide networks.
Status Legend: (E) Enabled/in use • (O) Optional/feature‑dependent • (P) Planned/pending.
| Status | Provider (Legal Entity) | Role / Purpose | Categories of Personal Data | Processing Location(s) | Notes / Transfer Mechanism |
|---|---|---|---|---|---|
| E | Google Cloud Platform (Google LLC) | Primary cloud hosting, storage, compute; managed DB; networking | Customer Personal Data stored/processed by the app; logs/telemetry | US regions (e.g., us‑east/us‑central) | Data encrypted at rest/in transit (provider defaults). SCCs in place for cross‑border transfers if/when applicable. |
| E | Vercel Inc. | Edge hosting/build/preview; static asset delivery | Request metadata; IP/device headers; content/asset data in transit | US (edge/PoPs per provider); Global Anycast for delivery | Traffic may transit globally (Anycast/CDN). No EU regional pinning presently. |
| E | Fly.io, Inc. | Edge app hosting/compute | App traffic in transit; request metadata; logs/telemetry | US regions (selected) | Regional placement US‑only; no EU regions enabled. |
| O | Cloudflare, Inc. | CDN/DNS/WAF/edge security | IP addresses; request headers; security telemetry | Global/Anycast; US account region | Used for network protection and caching if enabled. |
| O | Amazon Web Services (AWS) | Cloud hosting, storage, CDN, security | Customer Personal Data stored/processed by the Services; logs/metadata | US/EU (select) | SCCs/Regional storage as applicable |
| O | BetterStack, Inc. | Log management and monitoring | Application logs and telemetry data | US (provider-managed) | Used for centralized logging and monitoring if enabled |
| Status | Provider | Role / Purpose | Categories of Personal Data | Processing Location(s) | Notes / Transfer Mechanism |
|---|---|---|---|---|---|
| E | Clerk, Inc. | Authentication/identity, user management, sessions/MFA | User identifiers, names, emails; auth/session tokens; IP/device metadata | US | Used for sign‑in/sign‑up, session mgmt, MFA. |
| E | Postmark (ActiveCampaign, LLC) | Transactional email delivery | Admin/user names, emails; notification metadata | US | Outbound email (password resets, alerts). |
| E | HubSpot, Inc. | CRM, support ticketing, customer comms | Account/admin contact info; support metadata; email headers | US (primary), provider‑managed | Used for sales/support ops; may store attachments sent to support. |
| O | Klaviyo, Inc. | Marketing email (opt‑in) | Admin/contact names, emails; subscription prefs | US | Marketing communications if enabled. |
| Status | Provider | Role / Purpose | Categories of Personal Data | Processing Location(s) | Notes / Transfer Mechanism |
|---|---|---|---|---|---|
| E | Google Analytics (Google LLC) | Site analytics (marketing site) | Online identifiers; IP/device info; usage events | US (provider‑managed) | Controller‑side analytics for AdSights’ Site. |
| E | Google Tag Manager (Google LLC) | Tag orchestration (Site) | Event metadata (container triggers); request headers | US (provider‑managed) | Loads tags configured by AdSights; not an analytics tool by itself. |
| O | PostHog, Inc. | Product analytics (app) | Usage telemetry; events; device/IP | US (or provider‑managed) | Used if enabled for app analytics; can be self‑hosted. |
| O | Mixpanel, Inc. | Product analytics (app) | Usage telemetry; events; device/IP | US (provider‑managed) | Alternative to PostHog if enabled. |
| O | Hotjar Ltd. | Session replay/feedback (site/app) | Event data; device/IP; screen recordings (config‑dependent) | EU (provider‑managed); data accessible from US | Enabled configured to avoid sensitive data. |
| Status | Provider | Role / Purpose | Categories of Personal Data | Processing Location(s) | Notes |
|---|---|---|---|---|---|
| O | Sentry (Functional Software, Inc.) | Error monitoring | Application telemetry; stack traces (PII‑redaction recommended) | US/EU (acct setting); US by default | Configure PII scrubbing; sample rates. |
| O | Datadog, Inc. | Performance monitoring / logs | Metrics, traces, logs (PII‑redaction recommended) | US/EU (acct setting); US by default | Limit log ingestion of personal data. |
| O | LightningStudio | Creative processing/transcoding; AI‑assisted transforms | Creative/media assets and derived metadata (may contain personal data) | US (provider‑managed) | Use with data‑minimization and pre‑masking where feasible. |
| Status | Provider | Role / Purpose | Categories of Personal Data | Processing Location(s) | Notes |
|---|---|---|---|---|---|
| O | Stripe, Inc. | Payment processing; invoicing | Billing contact info; payment tokens; fraud signals | US (provider‑managed) | Stripe acts as independent controller for certain fraud/AML data. |
- Mask/Redact: Configuring analytics/replay/monitoring tools to mask fields that could contain personal data (e.g., free‑text, email, tokens).
- Access Controls: Limiting vendor access to least‑privilege; rotating API keys; enabling MFA where available.
- Retention: Setting conservative retention windows on logs/telemetry and session replay data.
- Asset Hygiene: Pre‑processing creative/media to avoid including sensitive/special‑category data unless a specific addendum allows it.
- Notice/Updates: Subprocessor changes will be communicated to the extent required by Applicable Data Protection Law; AdSights may engage/replace without prior notice where operationally necessary or where notice is not legally required.
- Objection: Where permitted by law, Customer may reasonably object to a newly‑added subprocessor pursuant to DPA §5.3. If unresolved within 30 days, Customer may disable the affected feature(s) or terminate the affected Order prospectively. No refunds/credits apply; this is Customer’s sole and exclusive remedy.
Administrative Note: This Annex reflects current US‑primary operations. Should EU regional hosting or new vendors be enabled, this Annex will be updated and, where required by law, notice provided consistent with DPA §5.2. SCCs/UK/Swiss transfer safeguards are already incorporated in the DPA for future cross‑border needs.
- UK Addendum: The ICO's International Data Transfer Addendum to the EU SCCs (or IDTA) is incorporated by reference; tables completed by reference to Annex I–III above.
- Swiss Addendum: For Swiss FADP transfers, references to GDPR are construed mutatis mutandis; the competent authority is the FDPIC; the governing law is Swiss law for SCC disputes.
Last updated: 9/27/2025
