BidSwitch

Data Processing Addendum

This Data Processing Addendum was updated on June 2025 and applies to all Customers irrespective of the Effective Date of the Term Sheet.

  1. The terms and conditions in this Data Processing Addendum (“DPA“), are entered into between Criteo S.A., as the parent company for the Criteo entity providing services to Customer (“BIDSWITCH“); and You (“Customer“), pursuant to the terms of the Agreement (defined below).
  2. This DPA together with the Agreement, constitute a legally binding agreement between the parties and governs Your use of the BIDSWITCH Services and the parties processing of any personal data under the Agreement. Customer agrees that this DPA is like any written negotiated agreement signed by Customer and agrees to enter into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any group companies or affiliates that use the Services. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
  3. Background

3.1. BIDSWITCH and Customer have entered into a master services agreement, together with one or more connected service orders and/or agreements (collectively the “Agreement“), pursuant to which BIDSWITCH has agreed to provide the Services.

3.2. The parties wish to define their respective data protection obligations relating to BIDSWITCH’s provision of Services to Customer.

  1. Definitions

4.1. In this DPA, the following terms shall have the following meanings:

(a) “controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“), “business”, “service provider” and “special categories of personal data” shall have the meanings given in Applicable Data Protection Laws.

(b) “Applicable Data Protection Laws” shall mean any and all applicable international, national, federal and state laws and regulations relating to data protection and privacy, including but not limited to: (a) the General Data Protection Regulation (“EU GDPR”), (b) the UK Data Protection Act (“UK GDPR”), (c) the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), (d) the Virginia Consumer Data Protection Act (“VCDPA”), (e) the Colorado Privacy Act (“CPA”), (f) the Connecticut Data Privacy Act (“CTDPA”), (g) the Utah Consumer Privacy Act (“UCPA”), (h) the Oregon Consumer Privacy Act (“OCPA”), (i) the Texas Data Privacy and Security Act (“TDPSA”), (j) the Montana Consumer Data Privacy Act (“MTCDPA”), (k) the Korean Personal Information Protection Act (“PIPA”); each as implemented in each jurisdiction, and any amending or replacement legislation (or similar) from time to time. For the sake of clarity, Data Protection Law also includes all legally binding requirements issued by the competent data protection authorities i) governing the processing and security of information relating to individuals and providing rules for the protection of such individuals’ rights and freedoms with regard to the processing of data relating to them, ii) specifying rules for the protection of privacy in relation to data processing and electronic communications, or iii) enacting rights for individuals which are enforceable towards organizations with respect to the processing of their personal data, including rights of access, rectification and erasure. Any Data Protection Law listed herein only apply to the Customer to the extent this is provided for under the criteria set by law.

(c) “data subject” as used herein shall also refer to “consumer” as that term is defined under Applicable Data Protection Laws.

(d) “personal data” means any information that identifies, relates to, describes, is capable of being associated with, or can reasonably be linked, directly or indirectly, to an identified or identifiable natural person or household, and that is Processed in connection with the Agreement.

(e) “Services” has the meaning given to it in the Agreement or if not set forth in the Agreement, means the services provided by BIDSWITCH  to Customer in accordance with and as described in the Agreement.

(f) “sub-processor” shall mean a party appointed by a processor or service provider to process personal data on behalf of that processor or service provider.

  1. Details of the processing

5.1. The subject matter of BIDSWITCH’s processing of personal data is the processing necessary to perform the Services as outlined in the Agreement. The duration of the processing is for the Term of the Agreement. The nature and purpose of the processing are to provide the Services, as defined in the Agreement, the types of personal data is information unique to internet user(s), used by advertisers to present advertising to that internet user(s) and categories of data subjects processed under this DPA are the aforementioned internet users. If the Agreement is materially deficient in respect of the subject matter of this Clause 5, the parties may supplement the Agreement with additional information.

  1. Data Protection Obligations

6.1. Relationship of the parties:  Customer (as the controller in its own right or as the processor who acts under instruction from third party controller(s)) or another business appoints BIDSWITCH  as a processor (or sub-processor, as the case may be) to process the personal data described in the Agreement (the “Data“) for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the “Permitted Purpose“).  Each party shall comply with the obligations under applicable data protection laws. If BIDSWITCH becomes aware that processing for the Permitted Purpose infringes an Applicable Data Protection Laws, it shall promptly inform Customer. The Customer shall be solely responsible to ensure the accuracy, lawfulness, and quality of the Personal Data and to ensure that the Processing entrusted to BIDSWITCH has an adequate legal basis pursuant to Data Protection Law.

6.2. Customer Instructions: BIDSWITCH shall process Personal Data for the Services only on the documented instructions from Customer. Customer may not instruct BIDSWITCH to process Personal Data in a manner not compatible with the Agreement and more particularly this DPA. BIDSWITCH shall immediately inform Customer if BIDSWITCH reasonably believes it is unable to follow Customer’s instructions, or if such instructions are not compatible with the Services or more generally with the Agreement.

6.3. Service provider limitations:  Customer is a business and BIDSWITCH is a service provider as those terms are defined under the Applicable Data Protection Laws. BIDSWITCH  shall not: (a) sell, share, or otherwise process Data for purposes of targeted advertising other than the Permitted Purpose; (b) retain, use, or disclose personal data for any purpose other than for the Permitted Purpose; (c) retain, use, or disclose personal data for a commercial purpose other than for the Permitted Purpose; or (d) retain, use, or disclose personal data outside of the direct business relationship between BIDSWITCH  and Customer. BIDSWITCH certifies that it understands these restrictions and will comply with them.

6.4. Security: BIDSWITCH shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR.

6.5 Prohibited data:  Customer shall not disclose or provide (and shall not permit any data subject to disclose) any special categories of personal data or sensitive data to BIDSWITCH for processing.

6.6. Transfers of Personal Data:  BIDSWITCH shall not transfer the Data outside of the European Economic Area (“EEA“) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws.

6.7. Sub-processing:  Customer may object to BIDSWITCH’s appointment or replacement of a sub-processor prior to BIDSWITCH’s engagement of such sub-processor, provided such objection is based on reasonable grounds relating to data protection.  In such event, BIDSWITCH will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).

6.8. Cooperation and data subjects’ rights:  BIDSWITCH  shall provide reasonable assistance  where legally required and subject to operational feasibility  (at Customer’s expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.

6.9. Data Protection Impact Assessment:  Upon Customer’s request, at Customer’s cost, and to the extent required under Data Protection Law, BIDSWITCH shall assist Customer in complying with any required data protection impact assessment on Customer’s request, taking into account the information available to BIDSWITCH. To the extent required under the GDPR or UK GDPR, BIDSWITCH shall provide reasonable assistance to Customer in its cooperation or prior consultation with a Regulatory Authority in the performance of its tasks

6.10. Audit:  Customer acknowledges that BIDSWITCH  is audited against ISO 27001, standards by independent third party auditors.  Upon request, BIDSWITCH  shall supply a summary copy of its audit report(s) to Customer, which shall be subject to the confidentiality provisions of the Agreement. BIDSWITCH  shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year.