Data Processing Agreement

Last updated: Mar 18, 2026

This Data Processing Agreement (the "DPA") is entered into on the Effective Date by and between Screencore’s entity ("Screencore"), specified in the Service Agreement or other applicable agreement (the "Agreement"), and Partner’s entity ("Partner"), specified in the Agreement, each a "Party" and collectively the "Parties". This DPA is incorporated into the Agreement between the Parties by reference to govern the processing of Personal Data in connection with Screencore's advertising technology platform and/or other services related to online advertising technology. “Partner” in this DPA shall mean AdExchange Platform, Supply Side Platform, Demand Side Platform, or other entity receiving the Services from Screencore, or vice versa. Except as modified below, the terms of the Agreement remain in full force and effect.

1. Definitions

1.1 "Applicable Data Protection Laws" means all applicable laws, regulations, and legally binding requirements relating to the processing of Personal Data under the Agreement, including, where applicable, Regulation (EU) 2016/679 (“GDPR”), the UK GDPR and the Data Protection Act 2018, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA/CPRA”), and any other applicable United States state privacy laws, in each case as amended, supplemented, or replaced from time to time, together with any implementing regulations or guidance issued by competent supervisory authorities.

1.2 "EU Standard Contractual Clauses (EU SCCs)" means Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

1.3 "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" shall have the meanings assigned to them under the GDPR and Applicable Data Protection Laws.

1.4 “Effective Date” means the earlier of (i) the date of final signature of the Agreement, and (ii) the date on which the processing of Personal Data has begun.

1.5 “Personal Data” means any information relating to an identified or identifiable person processed under any services agreement between the Parties.

1.6 “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by a Party.

1.7 "Sensitive Data" means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, precise geolocation data (where classified as sensitive), or data relating to children.

1.8 “Sub-processor” means any third party appointed by a Party of this DPA to process Personal Data in connection with the Agreement on behalf of such Party.

1.9 “Supervisory Authority” / “Data Protection Authority”  means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Applicable Data Protection Laws.

1.10 “Transfer” means the access by, transfer, or delivery to, or disclosure to a person, entity, or system of Personal Data where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Data originated.

2. Roles of the Parties

2.1 Depending on the services performed by the Parties, personal data may be transferred from one Party to another (e.g., each Party may act as a Supply-Side Platform or a Demand-Side Platform). In performing their respective obligations, the Parties acknowledge that neither Party collects Personal Data directly from end users. 

2.2 Independent Controllers: Each Party acts as a separate and independent Controller of the Personal Data it processes under the Agreement. Each Party shall individually determine the purposes and means of its processing and is independently responsible for its own compliance with Applicable Data Protection Laws. Neither Party processes, nor will it process, Personal Data that it discloses or receives under the Agreement as a joint controller. 

2.3 US Privacy Laws: To the extent the Parties Process Personal Data subject to the CCPA, the receiving Party (acting as the “Third Party”) will provide the same level of privacy protection to the Personal Data as required of the disclosing Party (acting as the “Business”)  by the CCPA. The Personal Data is made available to the Third Party by the Business solely for the purposes specified in the Agreement and Annex I thereto.

3. Obligations on Consent

3.1 Lawfulness and Consent: Either Party is solely responsible for ensuring the existence of valid Data Subject consent (or establishing another lawful basis) and communicating all relevant withdrawals or revocations of consent to the initial controller, if such a Party is a Supply-Side entity.  Either Party is solely responsible for ensuring that there is a legal ground for processing the Personal Data covered by this DPA.

3.2 Transparency & Notices: Either Party must conspicuously post a privacy policy on its digital properties that discloses its data collection practices, the use of third-party advertising technology, and provides clear opt-out mechanisms for targeted advertising and the "sale" or "sharing" of Personal Data (if applicable).

3.3 Privacy Signals: Either Party shall accurately read and act according to/ and/or transmit user consent and opt-out choices to the other Party using standardized industry frameworks, such as the IAB Transparency & Consent Framework (Screencore is registered TCF Vendor, ID 1473), Global Privacy Protocol (GPP), or Global Privacy Control (GPC).

3.4 Restrictions: Either Party shall not transmit to the other Party any Sensitive Data, except precise geolocation data, processing of which is subject to the Data Subject’s consent.

4. Obligations

4.1 Purpose Limitation: Each Party agrees to collect, use, retain, and otherwise Process Data strictly for the purposes expressly defined in the Agreement and in accordance with applicable Privacy Requirements.

Neither Party shall:

(a) Process Data for any purpose that is incompatible with the purposes specified in the Agreement; (b) Use Data for its own direct marketing purposes unless it has obtained the necessary consent or has another appropriate legal basis under applicable law; (c) Disclose Data to any third party unless such disclosure is authorized by the Agreement, required by law, or necessary to comply with a valid legal obligation.

Specifically, with respect to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”):

(a) Each Party shall not retain, use, or disclose Personal Information received through bid requests for any purpose other than the specific business purposes defined in the Agreement or as otherwise permitted under the CCPA; (b) Each Party shall not use Data to build or modify consumer profiles for use outside the permitted scope of processing, or to re-identify de-identified data; (c) Where a valid opt-out signal is received and honored (including via the Global Privacy Platform (GPP), Global Privacy Control (GPC), or other recognized mechanisms), each Party shall Process such Data in a restricted manner and, where required under applicable law, act as a Service Provider and limit processing to the business purposes permitted under the CCPA.

4.1.1 US Privacy Compliance – Third Party and Service Provider Designation: For the purposes of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”), and other applicable U.S. privacy laws:

Each Party may act as a Third Party when receiving bid requests and associated Personal Information from the other Party or from supply-side or demand-side partners. In such capacity, each Party shall process Personal Information as an independent Business and certifies that it shall not Sell or Share Personal Information in a manner that would cause the disclosing Party’s provision of such Personal Information to constitute a “sale” or “sharing” under the CCPA, except where appropriate notice and the opportunity to opt out have been provided to the consumer by the first party or publisher.

Upon receiving and honoring a valid opt-out signal (including signals communicated via the Global Privacy Platform (GPP), Global Privacy Control (GPC), or other recognized mechanisms), each Party shall Process such Personal Information in a restricted manner and, to the extent required under applicable law, act as a Service Provider, limiting its processing to the business purposes permitted under the CCPA and applicable regulations.

In such cases, each Party shall not: (a) retain, use, or disclose Personal Information for any purpose other than those permitted under the CCPA and the Agreement; (b) combine Personal Information received from the other Party with Personal Information obtained from other sources, except as permitted under applicable law; (c) use Personal Information for cross-context behavioral advertising where prohibited by applicable opt-out signals.

Each Party shall have the right to take reasonable and appropriate steps to ensure that the other Party processes Personal Information in a manner consistent with its obligations under the CCPA, including through audits or other appropriate means.

In the event that a Party becomes aware of unauthorized use of Personal Information by the other Party, or if such use is identified through monitoring activities, such Party shall have the right to take reasonable and appropriate steps to stop and remediate such use, including suspending data transfers or terminating the Agreement where necessary.

Each Party shall promptly notify the other Party if it determines that it can no longer meet its obligations under the CCPA or is unable to process Personal Information in compliance with applicable Privacy Requirements and this Agreement.

4.2 Retention: The Parties shall adhere to retention periods of Personal Data stated in their public privacy policies. Either Party shall retain Personal Data for no longer than is necessary for the purposes for which it was obtained under the Agreement and shall delete or anonymize Personal Data upon termination of the Agreement.

4.3 Cooperation: The Parties will make available all information reasonably necessary to each other as may be required to demonstrate compliance with Applicable Data Protection Laws.

4.4 Data Subject Requests: Each Party may respond directly to Data Subject requests addressed to it relating to its processing of Personal Data.  

It is agreed that where either Party receives a request from a Data Subject in respect of Personal Data related more to the processing by the other Party, where relevant, such Party will direct the Data Subject to the other Party, as applicable, to enable the other Party to respond directly to the Data Subjectʼs request.

At the request of a Party receiving a Data Subject request, the other Party will cooperate reasonably in assessing and fulfilling such requests for notification, access, erasure or other requests under Applicable Data Protection Laws.

4.5 Security: Each Party will have in place appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data by or on behalf of the parties. 

4.6 Personnel: Each Party will ensure that itʼs access to the Personal Data is limited only to those personnel who require such access to perform the Services. Each Party shall impose contractual obligations upon its personnel engaged in the Processing of Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Each Party shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements.

4.7 Personal Data Breach: In the event of a Personal Data Breach affecting the other Party's data, the Party will notify the other Party without undue delay (e.g., within 24 hours) and take steps to mitigate the Personal Data Breach. Such notification shall include the following information, to the extent in the possession and control of the Party suffering the Personal Data Breach and to the extent possible: the types and number of Data Subjects affected, the categories of Personal Data affected, the possible cause of the Personal Data Breach, the possible adverse consequences, and the likelihood of their occurrence. If the information is not available at the first instance, it shall be provided in phases.

4.8 Data Protection Impact Assessment:  Upon either Party’s reasonable request, to the extent required under Applicable Data Protection Laws, the other Party shall assist the requesting Party in complying with any required data protection impact assessment, taking into account the information available to the providing Party. 

4.9 Audits: Either Party (auditing Party) may, no more than once in any twelve (12) month period (except where required by law or following a Personal Data Breach), mandate a reputable and independent auditor to perform an audit of the other Party’s (audited Party’s) Processing of Personal Data solely to verify compliance with this DPA. Auditing Party shall give the audited Party at least thirty (30) days’ prior written notice of any audit or inspection to be conducted under this DPA. The Parties shall mutually agree upon the scope, timing, and duration of the audit or inspection, provided that in this event, the audited Party may not unilaterally and unreasonably reject any reasonable audit details or parameters proposed by the auditing Party. Any such audits shall be conducted during normal business hours and in a manner designed to minimise disruption of the audited Party’s normal operation. The audited Party shall cooperate in good faith with any such audit and may require the auditor to sign a customary confidentiality undertaking. Audits may be conducted through remote review of documentation. Auditing Party shall bear its own costs of any such audit. Any such audits and their results shall be subject to confidentiality obligations.

4.10 Supervisory Authorities: If either Party receives a complaint, notice or communication from a competent Data Protection Authority (or other official authority) which relates to the processing of Personal Data in the context of services under the Agreement, it shall, to the extent permitted by law, notify the other Party and provide such information as may reasonably be requested. Each Party shall notify the other Party of any requirements from a Data Protection Authority (or other official authority) as soon as possible, but no later than within twenty-four (24) business hours of receiving said enquiry. Both Parties agree to cooperate and assist each other reasonably.

4.11 Liability. Each Party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to any limitation of liability as outlined in the Agreement, and any reference to such limitation of liability of a Party means the aggregate liability of the Party under the Agreement and this DPA together. Additionally, each Party shall be independently liable for its own Processing of Personal Data to the extent such Processing does not comply with Applicable Data Protection Laws.

5. Third Party Engagement

5.1 Independent third parties. Each Party may engage third parties to process personal data under its own responsibility as an independent controller. Where a Party discloses personal data to such third parties, it shall ensure that such disclosure is made in compliance with applicable data protection laws and that appropriate contractual or legal safeguards are in place to protect the personal data.

6. International Data Transfers (Standard Contractual Clauses)

6.1 Either Party may operate globally. ‍Where the Services involve the transfers of Personal Data of Data Subjects from the European Economic Area to a jurisdiction that is not the beneficiary of an adequacy decision under EU Data Protection Laws, both Parties agree that such transfers shall be governed as follows: (i) for Data Subjects located in the EEA, by the unchanged version of the standard contractual clauses in Commission Decision 2021/914/EU as can be found at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN). Module 1 (Controller to Controller) therein shall apply.

The relevant provisions of the EU SCCs are incorporated by reference and form an integral part of this DPA. Clauses and annexes of the EU SCCs deemed to be completed are as follows:

(i) in Clause 7, the optional docking clause shall not apply;

(ii) in Clause 11, the optional provision shall not apply;

(iii) In Clause 13(a), the applicable option shall apply;

(iv) in Clause 17, Option 1 shall apply and the Parties agree that the laws of the Republic of Poland shall govern the Clauses;

(v) in Clause 18(b), disputes shall be resolved by the courts of Warsaw, the Republic of Poland;

(vi) Annex I of the EU SCCs is deemed completed with the information set out in Annex I of this DPA;

(vi) Annex II of the EU SCCs is deemed completed with the information set out in Annex II of this DPA.

6.2 UK Transfers: For Data Subjects located in the UK, by the EU SCC plus the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as can be found at  https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/appropriate-safeguards/what-are-standard-data-protection-clauses-the-uk-idta-and-the-addendum/ (or as it may be amended or replaced) (the “UK Addendum”). The Annexes attached to this DPA provide the information required by the UK Addendum as set out in Annexes I, II to this DPA. The Annexes attached to this DPA provide the information required by Annexes I, II and III of the EU SCC and by the UK Addendum as set out in Annex I.B to this DPA.

6.3 Swiss Data Transfers: The Parties agree that for transfers of Personal Data from Switzerland, the terms of the EU SCCs shall be amended and supplemented as specified by the relevant guidance of the Swiss Federal Data Protection and Information Commissioner, and the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner.

7. General Provisions

7.1 Order of precedence: In the event of any conflict between the DPA and the Agreement, the DPA will prevail.

7.2 Termination: This DPA shall terminate automatically upon the termination of the Agreement, provided, however, that each Party’s obligations under this DPA will apply for so long as the other Party has access to its Personal Data. 

7.3 Severability: If any provision or condition of this DPA is held or declared invalid, unlawful or unenforceable by a competent authority or court, then the remainder of this DPA shall remain valid. The provision or condition affected shall be construed to be amended in such a way that ensures its validity, lawfulness and enforceability while preserving the parties’ intentions, or if that is not possible, as if the invalid, unlawful or unenforceable part had never been contained in this DPA.

7.4 Governing Law and Dispute Resolution: This DPA shall be governed by and construed in accordance with the laws governing the Agreement, and the courts shall resolve any disputes agreed for resolution of disputes under the Agreement, except to the extent required otherwise under the SCCs.

7.5 Signing: Parties mutually represent and warrant that they have the right, power, and authority to enter into the Agreement and perform their obligations as set forth herein and that they will perform their obligations under the DPA. The Parties may execute this Agreement in counterparts, including facsimile, PDF, and electronic signature systems (e.g., DocuSign), and other electronic copies, which, taken together, will constitute one instrument.

7.6. Modification: Screencore may modify this DPA from time to time by posting the modified version on its website. The Partner is responsible for periodically reviewing such a page for updates. Such modifications shall be binding upon being posted.

7.7 Contact: For privacy inquiries, data subject requests, or breach notifications, the Partner may contact Screencore at legal@screencore.io or dpo@screencore.io. The Partner’s contact details for privacy-related purposes must be communicated to Screencore by email at legal@screencore.io or dpo@screencore.io.

ANNEX I: Details of Processing

(To be incorporated into Annex I of the EU SCCs)

A. List of Parties

Data Exporter is an entity that transfers personal data to the other entity, Data Importer. Depending on the specific services between the Parties, either Party may be a Data Exporter or a Data Importer.

Data Exporter/Data Importer: Screencore, acting as Controller. 

Data Exporter/Data Importer: Partner, acting as Controller.

B. Description of Transfer

Categories of Data Subjects: End Users (individuals who explore the publishers’ websites and/or applications and receive advertisements).

Categories of Personal Data: Device and technical data (IP address, location, user-agent string), Digital identifiers (device advertising IDs such as IDFA/GAID, cookie IDs, exchange IDs), Interaction data (ad impressions, timestamps, page context), and Privacy preference signals (TCF/GPP strings).

Sensitive Data: The data exporter does not transfer special categories of data (sensitive data). The data importer does not obtain access to special categories of data (sensitive data).

Frequency of Transfer: The personal data is transferred on a continuous basis.

Nature and Purpose of Processing: Processing is conducted to facilitate programmatic advertising transactions, deliver digital ads, ensure brand safety, prevent invalid traffic/fraud, and measure ad performance. Personal data processing consists of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.

Retention Period: The personal data shall be stored not longer than for the duration of this DPA concluded between the data importer and the data exporter, unless otherwise agreed in writing or the data importer is required by applicable law to retain some or all of the transferred personal data.

Signature & Date: By entering into this DPA, Data Importer and Data Exporter are deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of this DPA.

C. Competent Supervisory Authority In accordance with Clause 13, the competent supervisory authority under these Clauses is Urząd Ochrony Danych Osobowych (Polish Personal Data Protection Office).

ANNEX II: Technical and Organisational Measures

(To be incorporated into Annex II of the EU SCCs)

Description of the technical and organisational measures implemented by the Data Importer to ensure an appropriate level of security:

1. Physical Access Controls:

- classification of persons who are granted physical access;

- electronic access control;

- implementation of measures for on-premise security;

- alarm device or security service outside service times;

- issuance of access ID badges or visitor badges.

2. Logical Access Controls:

- сlassification and accountability of persons who may access data processing equipment;

- approved users are issued with unique credentials, which must not be shared with or communicated to any other person;

- regular review to ensure that only those persons who require access to systems are provided with such access;

- password protection for devices and system access;

- implementation of company policies for external contractors;

- agreements with any sub-processors contain strict confidentiality obligations.  

3. Data Access Control:

- allocation of separate terminals/workstations and of ID-parameters exclusively to specific functions;

- implementation of partial access rights for respective data and functions;

- implementation of policy on access- and user-roles;

- evaluation of protocols in case of damaging incidents;

- access to the data is promptly removed upon termination of relations or change of role;

- monitoring access to applications, tools, and resources that process or store data, including cloud services.

4. Cryptographic Techniques:

- data encryption.

5. Computer and Network Security:

- сontrols to manage the use of removable media in order to prevent unauthorised disclosure, modification, removal or destruction of personal data stored on it;

- password security procedures;

- description of a process to detect any unauthorised access or anomalous use;

- effective anti-malware defences to protect computers from malware infection;

- monitoring user and system activity to identify and help prevent data breaches;

- boundary firewalls to protect computers from external attack and exploitation.

6. Availability control

- implementation a regular backup schedule;

- control of condition and respective labelling of data carriers for data backup purposes;

- safe storage of data backups in fire- and water-protected security cabinets;

- implementation and regular control of emergency power systems and overvoltage protection systems;

- implementation of an emergency plan;

- protocol on the initiation of crisis- and/or emergency management.

7. Organizational measures

- regular assessments on the effectiveness of administrative, organizational, technical and physical safeguards reasonably designed to protect the services and confidentiality, integrity and availability of personal data.

- adopted measures for ensuring accountability, such as implementing data protection policies, maintaining documentation of processing activities, recording and reporting security incidents involving personal data, and appointing a data protection officer or other person responsible for data protection.