Legal

Data Processing Agreement

Last updated: April 22, 2026

This Data Processing Agreement (“DPA”) forms part of the Master Services Agreement or other written agreement (“Principal Agreement”) between Altavara LLC. (“Altavara,” “Processor”) and the customer identified in the Principal Agreement (“Customer,” “Controller”).

It reflects the parties' agreement with respect to the processing of Personal Data by Altavara on behalf of the Customer in connection with the Altavara advertising technology platform and related services (the “Services”). Capitalized terms not defined here have the meaning given in the Principal Agreement.

1. Definitions

Applicable Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Principal Agreement, including the EU and UK General Data Protection Regulation, the California Consumer Privacy Act (as amended by the CPRA), and other US state privacy laws.

Personal Data,” “Controller,” “Processor,” “Data Subject,” “Processing” and “Sub-processor” have the meaning given under Applicable Data Protection Law.

2. Roles and scope

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Altavara is the Processor. Each party is independently responsible for compliance with its obligations under Applicable Data Protection Law.

Altavara will Process Personal Data only: (a) to provide the Services in accordance with the Principal Agreement and Customer's documented instructions; (b) as necessary to comply with applicable law; and (c) as otherwise agreed in writing.

3. Subject matter and duration

  • Subject matter: provision of the Altavara programmatic advertising platform and related Services.
  • Duration: the term of the Principal Agreement plus any period required by applicable law or reasonably required to return or delete Personal Data.
  • Nature and purpose: delivery, measurement, and optimization of programmatic advertising campaigns; supply-path and deal-ID operations; billing and reporting.
  • Categories of Data Subjects: end users of Customer's digital properties and recipients of Customer's advertising.
  • Types of Personal Data: IP address, device and cookie identifiers, approximate geolocation, user-agent, content interaction events, and other technical identifiers typically exchanged in programmatic advertising bid streams.

4. Altavara obligations

  • Process Personal Data only on documented instructions from Customer, including with regard to international transfers, except where required by law.
  • Ensure that personnel authorized to Process Personal Data are under an appropriate obligation of confidentiality.
  • Implement appropriate technical and organizational measures to protect Personal Data — see Section 8 (Security).
  • Assist Customer, by appropriate technical and organizational measures, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
  • Assist Customer in ensuring compliance with its obligations relating to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

5. Sub-processors

Customer grants Altavara general authorization to engage Sub-processors to Process Personal Data in connection with the Services. A current list of Altavara Sub-processors is available on request at privacy@altavara.co.

Altavara will impose on each Sub-processor data protection obligations that are no less protective than those set out in this DPA and remains responsible for each Sub-processor's performance.

6. Data Subject rights

Taking into account the nature of the Processing, Altavara will assist Customer with appropriate technical and organizational measures, to the extent possible, to fulfill Customer's obligation to respond to requests from Data Subjects. If Altavara receives a request directly from a Data Subject in respect of Customer Personal Data, Altavara will promptly forward the request to Customer and will not respond except on Customer's instructions.

7. International data transfers

Where Personal Data originating from the EEA, the UK, or Switzerland is transferred to a country not recognized as providing an adequate level of protection, the parties agree that such transfers are governed by the applicable Standard Contractual Clauses, which are incorporated by reference into this DPA.

8. Security

Altavara will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include, at a minimum:

  • Encryption of Personal Data in transit and at rest;
  • Role-based access controls and least-privilege principles;
  • Regular review of security policies, vulnerability management, and secure software development practices;
  • Logging, monitoring, and alerting across production systems; and
  • Personnel security, confidentiality obligations, and security training.

9. Personal Data Breach

Altavara will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide Customer with information reasonably required to meet Customer's own breach-notification obligations under Applicable Data Protection Law.

10. Return or deletion of Personal Data

Upon termination or expiration of the Principal Agreement, Altavara will, at Customer's choice, delete or return all Personal Data Processed on Customer's behalf, and delete existing copies, unless storage is required by applicable law.

11. Audits

Altavara will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, subject to reasonable confidentiality and scheduling requirements. Altavara may satisfy audit obligations through third-party attestations (e.g., SOC 2) where available.

12. Miscellaneous

In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail to the extent of the conflict with respect to the Processing of Personal Data. This DPA may be updated from time to time to reflect changes in Applicable Data Protection Law; material updates will be communicated to Customer in advance.

Requesting a countersigned DPA

To request a countersigned version of this DPA for your records, contact privacy@altavara.co with your company name, the Altavara entity you contract with, and the signer details.