Data Processing Addendum
Last Updated: July 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between AdPeak Ltd (“AdPeak,” “we,” “us”), a company registered at Companies House under company number 17261264 with its registered office at M-SPARC, Menai Science Park, Gaerwen, Gwynedd, LL60 6AG, United Kingdom, and the customer (“Customer,” “you”). It applies where AdPeak processes Personal Data on your behalf in connection with the Services. In the event of a conflict between this DPA and the Terms of Service in respect of data protection, this DPA prevails.
1. Definitions
- “Data Protection Law” means all laws applicable to the processing of Personal Data under this DPA, including the UK GDPR and the Data Protection Act 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679), and, where applicable, the California Consumer Privacy Act (CCPA/CPRA).
- “Personal Data,” “Controller,” “Processor,” “Data Subject,” “Processing,” and “Personal Data Breach” have the meanings given in the UK/EU GDPR.
- “Customer Personal Data” means Personal Data that AdPeak processes on your behalf in providing the Services.
- “Sub-Processor” means any processor engaged by AdPeak to process Customer Personal Data.
- “SCCs” means the European Commission’s Standard Contractual Clauses (Decision 2021/914). “UK Addendum” means the UK Information Commissioner’s International Data Transfer Addendum to the SCCs.
Capitalised terms not defined here have the meaning given in the Terms of Service.
2. Roles of the Parties
The parties acknowledge that, in respect of Customer Personal Data:
- You are the Controller (or, where you act on behalf of your own clients, a Processor acting on their behalf), and AdPeak is the Processor (or sub-processor).
- AdPeak is an independent Controller for the limited Personal Data it processes for its own business purposes — such as account administration, billing, security, and website analytics — which is governed by the Privacy Policy rather than this DPA.
Where you act as a Processor on behalf of a third-party controller (for example, an agency acting for its advertiser clients), you warrant that you have the authority and instructions of that controller to engage AdPeak as a sub-processor on the terms of this DPA.
3. Scope and Details of Processing
- Subject matter: Provision of the Services described in the Terms of Service.
- Duration: For the term of the Terms of Service and until deletion of Customer Personal Data in accordance with Section 10.
- Nature and purpose: Reading and analysing connected-account data to generate reports, insights, and product-labelling outputs; powering the AI assistant and agent tools; hosting, storage, logging, and support.
- Types of Personal Data: Account identifiers and contact details of your personnel; authentication credentials and OAuth tokens; and any Personal Data contained within the connected Google Ads / Merchant Center data or in conversation content. In the ordinary course, connected-account data comprises product and advertising-performance data and does not contain end-consumer Personal Data.
- Categories of Data Subjects: Your authorised users and personnel; and any individuals whose Personal Data you choose to include in data you make available to the Services.
4. AdPeak’s Obligations
AdPeak shall:
- Process on documented instructions. Process Customer Personal Data only on your documented instructions (including as set out in this DPA and the Terms of Service), unless required to do otherwise by law, in which case AdPeak will inform you unless legally prohibited.
- Purpose limitation. Not process Customer Personal Data for any purpose other than providing the Services, except that AdPeak may create and use anonymised and aggregated data that does not identify you or any Data Subject.
- No sale. Not sell or share Customer Personal Data, and not retain, use, or disclose it outside the direct business relationship or for any purpose other than providing the Services, within the meaning of the CCPA/CPRA.
- Confidentiality. Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations.
- Security. Implement and maintain the technical and organisational measures described in Section 7.
- Assist you by appropriate technical and organisational measures, insofar as possible, in responding to Data Subject requests (Section 8) and in meeting your obligations regarding security, breach notification, data protection impact assessments, and prior consultation (Articles 32–36 GDPR).
- Notify you if, in its opinion, an instruction infringes Data Protection Law.
- Make available information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits (Section 9).
5. Customer’s Obligations
You shall:
- Comply with your obligations as a Controller under Data Protection Law.
- Ensure you have a valid lawful basis and all necessary rights, consents, and notices to make Customer Personal Data available to AdPeak and its Sub-Processors for the purposes of the Services.
- Ensure your instructions for processing are lawful.
- Be responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which you acquired it.
- Where you act for your own clients, ensure you are authorised to appoint AdPeak as a sub-processor and to bind those clients to terms consistent with this DPA.
6. Sub-Processors
- You provide general authorisation for AdPeak to engage Sub-Processors to process Customer Personal Data. Our current Sub-Processors are listed at /sub-processors.
- AdPeak will impose data-protection obligations on each Sub-Processor that are no less protective than those in this DPA, and remains liable for its Sub-Processors’ performance of those obligations.
- AdPeak will give at least 30 days’ prior notice of any intended addition or replacement of a Sub-Processor (via the Sub-Processor page and/or email). You may object on reasonable data-protection grounds within that period; if the objection cannot be resolved to the parties’ mutual reasonable satisfaction, you may terminate the affected Services as your sole remedy.
7. Security — Technical and Organisational Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, AdPeak maintains appropriate technical and organisational measures, including:
- Encryption of Personal Data in transit (TLS) and at rest.
- Access control on a least-privilege basis, with authentication and role-based authorisation; third-party credentials (such as Google OAuth tokens) are stored securely and revoked and nullified on account deletion.
- Network and infrastructure security, with all platform data hosted on Google Cloud Platform in hardened, access-controlled environments.
- Logging and audit trails of actions taken within the Services.
- Resilience and recovery measures consistent with the hosting provider’s capabilities.
- Segregation of customer data at the application level.
- Secure development and change management practices, including code review and automated testing.
- Personnel subject to confidentiality obligations and security awareness.
AdPeak may update these measures from time to time provided the level of protection is not materially reduced.
8. Data Subject Requests
AdPeak will, taking into account the nature of the processing, assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Data Protection Law. If AdPeak receives a request directly from a Data Subject relating to Customer Personal Data, it will, unless legally prohibited, promptly inform you and not respond to the request except on your documented instructions or as required by law.
9. Audit
AdPeak will make available to you information reasonably necessary to demonstrate compliance with this DPA. Where you reasonably require further information, you may request an audit no more than once per year (or following a Personal Data Breach affecting your data), on reasonable prior written notice, during business hours, subject to confidentiality, and conducted so as to minimise disruption. AdPeak may satisfy audit requests by providing relevant certifications, third-party reports, or written responses where these reasonably address the request.
10. Return and Deletion of Data
On termination or expiry of the Services, or on your written request, AdPeak will delete Customer Personal Data in accordance with the retention and deletion process described in the Privacy Policy — comprising an immediate soft delete (with revocation and nullification of credentials) followed by permanent deletion after a 30-day grace period — except to the extent AdPeak is required by law to retain a copy, or retains anonymised or aggregated data that no longer identifies any Data Subject, or retains limited deletion records as proof of compliance.
11. Personal Data Breach
AdPeak will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to assist you in meeting your breach-notification obligations, including the nature of the breach, likely consequences, and measures taken or proposed. Such notification is not an acknowledgement of fault or liability.
12. International Transfers
AdPeak processes and hosts Customer Personal Data primarily within the United Kingdom and European Union (on Google Cloud Platform), and may transfer it to, or access it from, other countries — including the United States — in connection with the Services (for example, AI inference and Sub-Processors).
Where a transfer of Customer Personal Data is made from the UK, EEA, or Switzerland to a country not covered by an adequacy decision, AdPeak ensures an appropriate safeguard under Data Protection Law applies, which may include:
- The SCCs (for EEA transfers), which are incorporated into this DPA by reference and completed as follows: Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) applies as appropriate; the docking clause applies; the parties’ details, the description of processing (Section 3), and the Sub-Processor list serve as the Annexes; and the governing law and forum are those of the Terms of Service to the extent permitted;
- The UK Addendum to the SCCs (for UK transfers); and/or
- Reliance on an applicable adequacy decision or data-transfer framework (such as the UK–US Data Bridge or EU–US Data Privacy Framework) where the recipient is certified.
AI inference transfers. AI inference is routed to a primary provider (Google Cloud Vertex AI), processed in the UK / EU, and, where necessary, to a fallback (OpenRouter) whose routing is pinned to a fixed allow-list of vetted upstream providers (with no automatic fallback to others) that are (a) located in the UK, EU, or US and (b) selected on a zero-data-retention basis so that they do not retain prompts or responses beyond the request or use the data to train models.
13. Liability
Each party’s liability under this DPA is subject to the exclusions and the aggregate limitation of liability set out in the Terms of Service, except to the extent those limitations are not permitted by Data Protection Law.
14. General
This DPA is governed by the laws of England and Wales and subject to the jurisdiction provisions of the Terms of Service. If any provision is held invalid, the remainder continues in effect. Except as amended by this DPA, the Terms of Service remain in full force.
15. Contact
Data-protection enquiries and requests under this DPA should be sent to privacy@adpeak.ai.
