GDPR Article 28 — Legal Document

Data Processing Agreement

Version: 1.4 · Effective: 1 January 2025 · Governing Law: England & Wales / EU GDPR

This Data Processing Agreement ("DPA") forms part of the agreement between CyanAds Ltd ("Processor") and the partner who has agreed to the CyanAds Terms of Service ("Controller"). It reflects the requirements of GDPR Article 28 and UK GDPR and governs CyanAds' processing of personal data on behalf of the Controller.

📄 Need a pre-signed DPA for your compliance records?

Request Signed DPA →

01 Definitions

"Controller" — entity that determines the purposes and means of processing Personal Data
"Processor" — CyanAds Ltd, processing on behalf of the Controller
"Personal Data" — as defined in GDPR Article 4(1)
"Processing" — as defined in GDPR Article 4(2)
"Sub-processor" — any third party engaged by CyanAds to process Personal Data
"Security Incident" — confirmed breach leading to unauthorised access, loss, or disclosure of Personal Data

02 Subject Matter and Duration

CyanAds processes Personal Data to provide programmatic advertising technology services as described in the service agreement. This DPA is effective for the duration of the service agreement and terminates automatically upon its expiry or termination.

03 Nature and Purpose of Processing

Element	Detail
Subject Matter	Operation of programmatic advertising infrastructure (SSP, header bidding, mediation)
Duration	Term of the service agreement
Nature	Collection, storage, transmission, analysis, deletion of bid request and impression data
Purpose	Real-time bidding, yield optimisation, fraud prevention, performance reporting
Data Subject Types	End users of Controller's digital properties
Personal Data Categories	Device identifiers (hashed), truncated IP, User Agent, contextual signals, consent strings

04 Processor Obligations (CyanAds)

CyanAds shall:

Process Personal Data only on documented instructions from the Controller
Ensure all authorised personnel are bound by confidentiality obligations
Implement appropriate technical and organisational security measures (Section 7)
Respect the conditions for engaging Sub-processors (Section 6)
Assist the Controller in responding to Data Subject requests (Section 8)
Assist with obligations under GDPR Articles 32–36 (security, breach notification, DPIAs)
Delete or return all Personal Data upon termination (Section 10)
Make available information necessary to demonstrate compliance and support audits (Section 12)
Immediately inform the Controller if an instruction would infringe applicable data protection law

05 Controller Obligations

The Controller shall:

Ensure there is a valid legal basis before instructing CyanAds to process Personal Data
Ensure appropriate consent has been obtained via a GDPR-compliant CMP supporting IAB TCF v2.2
Ensure all instructions comply with applicable data protection laws
Implement appropriate technical and organisational measures on the Controller's side
Notify CyanAds of any changes that affect processing obligations

06 Sub-processors

The Controller provides general written authorisation for CyanAds to engage Sub-processors. Current Sub-processors:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud hosting & infrastructure	EU / US (SCC)
Google Cloud Platform	Analytics & ML infrastructure	EU / US (SCC)
Protected Media	IVT detection & fraud prevention	Israel (Adequacy)
Prebid Server (self-hosted)	Header bidding operations	EU

CyanAds provides 30 days' advance notice of new Sub-processor appointments. The Controller may object within this period. All Sub-processors are bound by equivalent data protection obligations.

07 Security Measures (GDPR Article 32)

Technical Measures

TLS 1.3 encryption for all data in transit; AES-256 at rest
Pseudonymisation of Personal Data where technically feasible
Automated vulnerability scanning and regular penetration testing
Network segmentation, WAF, and DDoS protection
Multi-factor authentication (MFA) for all system access

Organisational Measures

Role-based access control (RBAC) with least-privilege principles
Annual data protection training for all staff
Designated Data Protection Officer (DPO)
Documented incident response and business continuity plans
ISO 27001-aligned information security management

08 Data Subject Rights Assistance

CyanAds shall, to the extent reasonably practicable, assist the Controller in fulfilling obligations under GDPR Articles 15–22 (access, erasure, portability, restriction, objection).

CyanAds implements opt-out and suppression via standard industry channels (IAB TCF, Global Privacy Control) and honours such signals within 24 hours of receipt.

09 Security Incident Notification

In the event of a Security Incident, CyanAds shall:

Notify the Controller without undue delay and no later than 48 hours after becoming aware
Include: nature of incident, categories and approximate number of Data Subjects affected, categories and approximate number of records affected, likely consequences, and measures taken
Cooperate fully and provide all further information reasonably required
Take necessary steps to mitigate the effects and prevent recurrence

Inbound security reports: security@cyanads.com

10 Return and Deletion of Data

Upon termination, CyanAds shall at the Controller's election within 30 days:

Return: export all Personal Data in a commonly used machine-readable format; or
Delete: securely destroy all Personal Data and provide written certification.

Note: Aggregated, anonymised data that cannot reasonably identify any Data Subject is not "Personal Data" for this clause and may be retained for analytics and model improvement.

11 International Data Transfers

Transfers outside the EEA or UK are governed by:

Standard Contractual Clauses (EU Commission Decision 2021/914)
UK IDTAs for UK-originating data
Adequacy decisions where available

12 Audit Rights

CyanAds will support audits by the Controller or a mandated third-party auditor. The Controller must provide at least 30 days' written notice. Audits are conducted during business hours at the Controller's cost.

As an alternative to on-site audit, CyanAds may provide a current ISO 27001 or SOC 2 Type II report where appropriate.

13 Liability and Indemnification

Liability under this DPA is subject to the limitations in the main service agreement. Where one party is held liable for a breach attributable to the other, it may recover that portion from the responsible party.

14 Governing Law

This DPA is governed by the laws of England and Wales. EU GDPR takes precedence in matters of conflict regarding EU data subjects.

Signature Block

This DPA is incorporated by reference into the main service agreement. By executing that agreement, both parties confirm acceptance of these terms.

Data Processor

CyanAds Ltd

Authorised Signatory / Date

Name: ______________________
Title: ______________________
Date: ______________________

Data Controller

[Partner Company Name]

Authorised Signatory / Date

Name: ______________________
Title: ______________________
Date: ______________________

Pre-signed copy: dpo@cyanads.com