AdsPing

Legal

Data Processing Agreement

DPA for customers who need one for GDPR, UK GDPR, or KVKK compliance.

Last updated: April 16, 2026

This Data Processing Agreement (“DPA”) supplements the AdsPing Terms of Service and applies when AdsPing processes Personal Data on behalf of a Customer in connection with the Service. By using the Service, a Customer who requires a DPA for its own compliance is deemed to have entered into this DPA with AdsPing. A signed version is available on request from [email protected].

1. Definitions

  • GDPR” means Regulation (EU) 2016/679, together with the UK GDPR and the Swiss Federal Act on Data Protection.
  • KVKK” means the Turkish Law on the Protection of Personal Data No. 6698.
  • Personal Data”, “Controller”, “Processor”, “Data Subject”, and “Process” have the meanings given in the GDPR.
  • Subprocessor” means a third party engaged by AdsPing to Process Personal Data in connection with the Service.
  • SCCs” means the Standard Contractual Clauses approved by the European Commission in Decision 2021/914, as updated.

2. Roles

For Customer Data Processed in connection with the Service, the Customer is the Controller and AdsPing is the Processor. Where the Customer is itself a Processor acting on behalf of another Controller, AdsPing acts as a Subprocessor and will comply accordingly.

3. Scope and duration

AdsPing Processes Personal Data only for the duration of the Terms of Service and to the extent necessary to provide the Service. On termination, AdsPing will delete or return Personal Data in accordance with Section 10.

4. Subject matter, nature and purpose

Subject matterThe processing of website event data for the purpose of server-side conversion tracking.
Nature of processingReceipt, enrichment, hashing of direct identifiers, forwarding to advertising destinations, and storage of aggregate metadata.
PurposeEnabling the Customer to measure and optimise digital-advertising campaigns.
Categories of Data SubjectsVisitors to the Customer’s websites or apps.
Categories of Personal DataIP address, user agent, hashed email and phone (if provided by the Customer’s site), online identifiers (cookies, click IDs), page URL, UTM parameters, event type, and numeric event value.
Special categoriesNone intended. The Customer must not send special-category data through the Service.

5. Instructions

AdsPing Processes Personal Data only on documented instructions from the Customer, which are the Terms, this DPA, and the configuration the Customer sets in its dashboard (including destinations and retention settings). If AdsPing believes an instruction infringes applicable law, it will inform the Customer.

6. Confidentiality

AdsPing ensures that personnel authorised to Process Personal Data are bound by written confidentiality obligations or statutory obligations of confidentiality.

7. Security measures

AdsPing implements and maintains appropriate technical and organisational measures, including:

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
  • Least-privilege access controls with multi-factor authentication for production systems.
  • Logging, monitoring, and alerting for anomalous access and activity.
  • Regular vulnerability scanning and dependency updates.
  • Background-verified personnel for any role that touches production.
  • Business-continuity and incident-response plans, tested at least annually.
  • Segregation of Customer Data by tenant.
  • Minimisation — AdsPing retains event Personal Data only as aggregate metadata after forwarding.

8. Subprocessors

The Customer authorises AdsPing to engage the Subprocessors listed in the Privacy Policy and at /subprocessors. AdsPing will inform the Customer of any addition or replacement of Subprocessors at least 30 days in advance by updating that page and, for customers who subscribe to the notification list, by email. If the Customer reasonably objects on data-protection grounds, the parties will cooperate to find a solution; if none is found, the Customer may terminate the affected portion of the Service.

AdsPing enters into a written contract with each Subprocessor imposing obligations equivalent to those in this DPA and remains responsible for Subprocessors’ performance.

9. International transfers

Where AdsPing transfers Personal Data out of the EEA, UK, or Switzerland, the parties agree that the SCCs (Module Two — controller to processor — for direct transfers, or Module Three — processor to processor — where the Customer is itself a Processor) are incorporated by reference and apply to such transfers. The docking clause (Clause 7) is included. The options selected are:

  • Clause 9(a): Option 2 — general written authorisation of Subprocessors, with 30 days’ notice as provided in Section 8.
  • Clause 17: Option 1 — the SCCs are governed by the law of Ireland.
  • Clause 18: disputes resolved before the courts of Ireland.
  • Annexes: Annex I.A identifies the parties; Annex I.B describes the transfer per Section 4 above; Annex II sets out the security measures in Section 7; Annex III lists the Subprocessors.

For transfers from the UK, the International Data Transfer Addendum issued by the UK Information Commissioner applies. For transfers from Switzerland, the FDPIC equivalents apply.

10. Assistance, audits, breach notification, return and deletion

  • Assistance — AdsPing provides reasonable assistance with data-subject requests, impact assessments, and consultations with supervisory authorities, taking into account the nature of the Service and information available to us.
  • Audits — The Customer may audit AdsPing’s compliance with this DPA no more than once per year, on reasonable notice, subject to confidentiality, and limited in scope. AdsPing may fulfil audit requests by providing a recent independent audit report (e.g. SOC 2, ISO 27001) where available.
  • Personal Data Breach — AdsPing notifies the Customer without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach affecting Customer Data, and provides the information the Customer needs to meet its own notification obligations.
  • Return / deletion — On termination, AdsPing deletes or returns Customer Data within 30 days, except to the extent retention is required by law or for aggregate metadata that cannot identify any Data Subject.

11. KVKK

For Customers subject to KVKK, AdsPing acts as “veri işleyen” (data processor) in the meaning of Article 3. AdsPing may, at the Customer’s election, process events in a Turkey-region endpoint to address data-localisation preferences. Standard obligations of a data processor under KVKK Articles 12 and related regulation are incorporated into this DPA.

12. Liability

Each party’s liability under this DPA is subject to the limitations in the Terms of Service.

13. Precedence

This DPA forms part of the Terms of Service. In case of conflict between the Terms and this DPA on the subject of data protection, this DPA prevails. In case of conflict between this DPA and the SCCs, the SCCs prevail.

14. Contact

Data-protection contact: [email protected]
Legal: [email protected]