Effective: May 25, 2018

This Data Processing Addendum is referred to in Section 7 of, and forms an integral part of, the AdRoll Terms of Service and any applicable Product Addendum(s) (“Terms of Service”). It is effective upon acceptance of the Terms of Service.

Where Data processed under the Terms of Service is subject to Applicable Data Protection Law, Clients may enter into this Data Processing Addendum (which incorporates the European Commission’s Standard Contractual Clauses): (i) to protect the Data in accordance with the requirements of Applicable Data Protection Law; and (ii) to provide appropriate safeguards with respect to Data which may be processed outside of the European Territories.

This Data Processing Addendum reflects the Parties’ agreement with respect to the terms governing the processing of Data under the Terms of Service.


  • "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and
  • "Applicable Data Protection Law" shall mean: (i) prior to May 25th 2018, the EU Data Protection Directive (Directive 95/46/EC); (ii) after May 25th 2018, the EU General Data Protection Regulation (Regulation 2016/679); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) any national legislation made under or pursuant to any of (i), (ii) or (iii); and (v) any law that amends or supersedes (i), (ii), (iii) or (iv).
  • Any other capitalized terms not defined in this Data Processing Addendum shall have the meaning given to them in the Terms of Service.


The Client (the “Controller”) appoints AdRoll, Inc. d/b/a AdRoll Group (“AdRoll”) as a processor to process the personal data described in Section 7.1 of the Terms of Service between the parties (the "Data") for the purposes described the Terms of Service (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. If the Controller becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform AdRoll.


The Controller shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to AdRoll for processing.


AdRoll shall not transfer the Data outside of the European Territories unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient in the United States of America that maintains a valid and up-to-date EU-US Privacy Shield certification, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.


To ensure that appropriate safeguards are afforded to personal data transferred by the Controller to AdRoll, the parties hereby incorporate the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU in their entirety, subject to the following requirements: (a) Appendices 1 and 2 of the Standard Contractual Clauses shall be as set out at Annex A to this Data Processing Addendum; (b) AdRoll shall be deemed to comply in full with the subprocessing requirements of Section 11 of the Standard Contractual Clauses if it complies with the requirements of Section 8 of this Data Processing Addendum; and (c) AdRoll shall be deemed to comply in full with the rights of audit Controller may have under Section 5(f) of the Standard Contractual Clauses if it complies with the requirements of Section 13 of this Data Processing Addendum.


AdRoll shall ensure that any person it authorises to process the Data shall protect the Data in accordance with the Controller's confidentiality obligations under this addendum and the Terms of Service.


AdRoll shall implement appropriate technical and organisational measures as set out in Annex C to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").


The Controller consents to AdRoll engaging third party subprocessors to process the Data for the Permitted Purpose provided that: (i) AdRoll maintains an up-to-date list of its subprocessors to be provided to Controller upon request, which it shall update with details of any proposed change a reasonable time in advance of appointing or replacing a subprocessor; (ii) AdRoll imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law and this Data Processing Addendum; and (iii) AdRoll remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor. A list of approved subprocessors is attached at Annex B. The Controller may object to AdRoll's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, AdRoll will either not appoint or replace the subprocessor or, if this is not possible, the Controller may suspend or terminate the Terms of Service (without prejudice to any fees incurred by the Controller prior to suspension or termination).


AdRoll shall provide reasonable and timely assistance to the Controller (at Controller’s expense) to enable the Controller to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, restriction and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to AdRoll, AdRoll shall promptly inform the Controller providing full details of the same.


AdRoll shall provide reasonable cooperation to the Controller (at Controller’s expense) in connection with any data protection impact assessment that the Controller may be required under Applicable Data Protection Law.


If it becomes aware of a confirmed Security Incident, AdRoll shall inform Controller without undue delay and shall provide reasonable information and cooperation to Controller so that Controller can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. AdRoll shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Controller informed of all material developments in connection with the Security Incident.


Upon termination or expiry of the Terms of Service, AdRoll shall (at Controller's election) destroy or return to Controller all Data in its possession or control. This requirement shall not apply to the extent that AdRoll is required by Applicable Law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event AdRoll shall securely isolate and protect from any further processing except to the extent required by such law.


AdRoll will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Addendum.

Controller agrees that it shall exercise any right of audit under Applicable Data Protection Law (or the Standard Contractual Clauses incorporated by reference in Section 5) by submitting written audit questions to AdRoll. AdRoll shall respond to such written audit questions submitted to it by Controller, provided that Controller shall not exercise this right more than once per year.

Annex A

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

  • Client is the data exporter who is receiving Services under the Terms of Service.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

  • AdRoll is providing Services to the data exporter under the Terms of Service.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

  • Prospective and existing customers of the data exporter

Categories of data

The personal data transferred concern the following categories of data (please specify):

  • Contact information including email address and any other affiliated contact information provided by the data exporter to the data importer to perform the Services (e.g. name, address, email, phone number, company name, job title).

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

  • None

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

  • use in targeting and bidding for ads to be shown on publisher websites;
  • aggregation and analysis for improving data importer’s services; and
  • transfer and storage of personal data with data importer’s storage and data processing subprocessor, Amazon Web Services.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Standard Contractual Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

See Annex C.


Approved list of subprocessors

Entity Name Processing Activity Location
Amazon Web Services Storage USA and Europe
Mailgun (only applicable where Client runs AdRoll Email Services Sending emails USA

Annex C

AdRoll Security Exhibit

AdRoll will commit to, at a minimum, the following security measures and may also adopt other security measures to ensure an appropriate level of security, including confidentiality, integrity, and availability, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the service the data that needs to be protected:

  • Risk Management. Maintain a risk management program.
  • Policies. Statements of intent on key areas of risk prevention.
  • Operational Processes. Including:
    • change control;
    • incident response; and
    • breach notification.
  • Auditing. Centralized logging of security events to facilitate detection of and response to security events.
  • Personnel Management. Management of human resources including background checks.
  • Vendor Management. A program to manage risk created by use of third parties to manage systems and data.
  • Access Control to Processing Areas. Processes to prevent unauthorized persons from gaining access to the data processing equipment where the sensitive Data is processed or used.
  • Access Control to Data Processing Systems. Processes to prevent data processing systems from being used by unauthorized persons.
  • Least Privilege Access. Measures to ensure that persons entitled to use data processing systems are only able to access the Data within the scope and to the extent covered by their respective access permission (authorization) and that sensitive Data cannot be read, copied or modified or removed without authorization.
  • Transmission Control. Procedures to prevent Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer of Data by means of data transmission facilities is envisaged.
  • Storage Control. Controls when storing any sensitive Data.
  • Input Control. Measures to ensure that it is possible to check and establish whether and by whom Data has been input into data processing systems or removed.
  • Availability Control. Measures to ensure that Data are protected from accidental destruction or loss.
  • Segregation of Processing. Procedures to ensure that Data collected for different purposes can be processed separately.
  • Vulnerability Management. Systems are regularly checked for vulnerabilities and any detected are immediately remedied.
  • Incident Management. Establishment of adequate and appropriate incident management.