Adfinia. ← Back to adfinia.com
Legal · Data Processing

Data Processing Addendum

Version1.0 (draft)
Last updated2026-05-16
Effective fromPending legal review
Transfer regimesEU SCCs · UK IDTA · India DPDP
This is a working draft, pending external legal review. The DPA below is a scaffold — it sets out the structure we will execute against and the transfer mechanisms we intend to rely on. Final clauses, schedules, and the executed sub-processor list are pending review by external counsel and may change before commercial publication. To request a counter-signed copy or to raise comments, write to support@adfinia.com with subject "DPA".

Parties & incorporation

This Addendum forms part of the Terms of Service between you (the "Customer") and Infinia Technologies LLC ("Adfinia") whenever Adfinia processes Personal Data on the Customer's behalf.

It is incorporated by reference into the Adfinia Terms of Service and any related Order Form. You do not need to execute a separate copy for the DPA to apply — accepting the Terms accepts the DPA. A counter-signed PDF is available on request (see §13).

Where applicable law (for example, Article 28(3) GDPR, UK GDPR Article 28, India DPDP Section 8, or UAE PDPL Article 26) requires specific clauses between controller and processor, those clauses are set out below; in case of conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Personal Data.

Definitions

Terms not defined here have the meanings given in the Terms of Service or in the applicable Data Protection Law.

  • "Personal Data" — any information relating to an identified or identifiable natural person, as defined under the applicable Data Protection Law.
  • "Customer Data" — Personal Data the Customer or its Users upload to or generate on the Platform.
  • "Data Protection Law" — the GDPR, the UK GDPR, the India Digital Personal Data Protection Act 2023 ("DPDP"), the UAE Federal Decree-Law 45 of 2021 ("PDPL"), and any other applicable national or sectoral law relating to the protection of Personal Data.
  • "SCCs" — the Standard Contractual Clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "IDTA" — the UK International Data Transfer Agreement, or the UK Addendum to the EU SCCs, issued by the UK Information Commissioner's Office.
  • "Sub-processor" — any third party engaged by Adfinia to process Personal Data on the Customer's behalf.
  • "Supervisory Authority" — the data-protection regulator competent under the applicable Data Protection Law.

Roles & subject-matter

With respect to Customer Data, the Customer is the Controller (or processor on behalf of a third-party controller) and Adfinia is the Processor (or sub-processor, as the case may be).

Subject-matter

Adfinia processes Customer Data solely to provide the Platform and the support services described in the Terms.

Duration

Processing continues for the term of the Customer's subscription and the post-termination export and deletion windows described in §11.

Nature & purpose

Hosting, indexing, segmentation, dispatch, attribution, AI inference (with the Customer-selected model and routing), analytics, audit logging, and other functions exposed in the Platform user interface and API.

Categories of data subjects

The Customer's contacts, customers, prospects, employees acting as Users, and any individuals whose data the Customer chooses to upload.

Categories of Personal Data

Identifiers (name, email, phone, account ID), engagement signals (opens, clicks, conversions), preference data (consent state, channel opt-in/out), demographic data uploaded by the Customer, and any free-text fields the Customer chooses to maintain. The Customer is responsible for not uploading special-category data (Art. 9 GDPR / DPDP sensitive data) without lawful basis.

Processing instructions

Adfinia processes Customer Data only on the Customer's documented instructions. The Customer's instructions are:

  • The Terms of Service and this DPA.
  • The configuration the Customer makes in the Platform (regions, retention, consent, suppression, AI routing, integrations).
  • Any further written instructions consistent with the Terms.

Adfinia will inform the Customer if, in our opinion, an instruction infringes Data Protection Law. We will not be required to act on an instruction that is unlawful, technically infeasible, or materially outside the scope of the Service.

Adfinia personnel authorised to process Customer Data are bound by written confidentiality obligations and trained on data-protection responsibilities annually.

Security measures

Adfinia implements appropriate technical and organisational measures to protect Personal Data, taking into account the state of the art, the costs of implementation, and the risks to the rights and freedoms of natural persons. A current summary is published on the Trust & Security overview. The measures include:

  • Encryption — TLS 1.2+ in transit; AES-256 at rest for databases, object storage, and backups.
  • Tenant isolation — row-level-security policies enforced by the database engine on every table that holds Customer Data.
  • Access control — least-privilege, time-bound production access, MFA-enforced for all staff, full audit logging of administrative actions.
  • Vulnerability management — continuous scanning, weekly base-image rebuilds, supply-chain attestation of every container image, annual independent penetration testing.
  • Resilience — point-in-time recovery on primary databases, encrypted off-site backups, documented disaster-recovery procedure tested at least annually.

Material changes to the security measures will not reduce the overall protection of Personal Data. We will keep the Trust & Security overview current with the deployed controls.

Sub-processors

The Customer authorises Adfinia to engage Sub-processors to perform parts of the processing on the Customer's behalf. The current list — together with each Sub-processor's location, category of service, and the categories of Personal Data it processes — is published at /legal/subprocessors.

Adfinia will:

  • Impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA (Art. 28(4) GDPR flow-down).
  • Remain liable to the Customer for the acts and omissions of its Sub-processors as for its own.
  • Give the Customer at least 30 days' notice of any new or replacement Sub-processor before it begins processing Customer Data.

If the Customer reasonably objects to a new Sub-processor on data-protection grounds within 30 days of notice, the Customer may terminate the affected service component and receive a pro-rated refund of pre-paid unused fees.

International transfers — SCCs, IDTA, DPDP safeguards

Where Personal Data is transferred outside its home jurisdiction, Adfinia relies on the transfer mechanism appropriate to the regime.

From the EEA

The SCCs (Commission Decision 2021/914) are deemed entered into between Adfinia and the Customer with respect to transfers of Personal Data from the EEA to Adfinia in a third country. Module 2 (controller-to-processor) applies where the Customer is the controller; Module 3 (processor-to-processor) applies where the Customer is itself a processor. The optional docking clause is included; the governing law of the SCCs is Ireland; the supervisory authority is the Irish DPC unless mandatory law specifies another.

From the United Kingdom

The UK IDTA — or, at the Customer's election, the UK Addendum to the EU SCCs — is deemed entered into between Adfinia and the Customer with respect to transfers of Personal Data from the UK to Adfinia in a third country.

From India

Adfinia transfers Personal Data outside India only to jurisdictions not restricted by notification under India DPDP Section 16, and subject to the same security and confidentiality obligations that apply within India. Where the Customer requires data residency within India, the Customer may pin the tenant region accordingly (see /legal/regions).

From the UAE

Transfers from the UAE rely on PDPL Article 22 mechanisms: adequacy where designated by the UAE Data Office, contractual safeguards where not, and explicit data-subject consent where the Customer has obtained it. Customers on the Sovereign tier may pin processing and AI inference within the UAE.

Local supplements

For each transfer, the categories of data, data subjects, recipients, purposes, retention, and security measures are those described in this DPA. Annex I (parties), Annex II (technical & organisational measures), and Annex III (Sub-processors) of the SCCs are populated from the Order Form, §5 of this DPA, and the published Sub-processor list, respectively.

Data-subject rights

Adfinia provides Customer-facing tooling that helps the Customer respond to requests from data subjects for access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. See the data-subject rights request page for the request flow.

Where a data subject contacts Adfinia directly with a request relating to Customer Data, Adfinia will, without undue delay and to the extent legally permitted, refer the request to the Customer and assist the Customer in responding by appropriate technical and organisational measures.

Adfinia will not respond directly to the data subject, except to confirm receipt and route, or where required by law.

Personal data breach

Adfinia will notify the Customer of any confirmed Personal Data Breach affecting Customer Data without undue delay and in any case within 72 hours of becoming aware. The notice will include — to the extent then known — the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, the measures taken or proposed to address the breach, and the contact point for further information.

Adfinia will provide reasonable assistance to the Customer in meeting the Customer's own notification obligations under Articles 33–34 GDPR, DPDP Section 8(6), PDPL Article 10, and equivalent provisions of applicable law.

Adfinia's notice is not an acknowledgement of fault or liability.

Audit & assurance

Adfinia maintains records of processing activities required under Article 30 GDPR and equivalent provisions. On reasonable written request, Adfinia will provide:

  • The current Trust & Security overview and the most recent independent audit report or penetration test summary that we are entitled to share.
  • Responses to a reasonable security questionnaire, no more than once per twelve-month period unless required by regulator instruction or following a Personal Data Breach.

Where the Customer demonstrates that the documentation does not satisfy the Customer's audit obligations under Article 28(3)(h) GDPR or equivalent law, Adfinia and the Customer will agree in advance the scope, timing, and confidentiality terms of an on-site audit; the audit will be conducted during business hours, with reasonable notice, and at the Customer's cost.

Return & deletion

On termination of the subscription, the Customer may export Customer Data via the Platform's export tooling for 30 days. After that period, and in any case within 60 days of termination, Adfinia will permanently delete Customer Data from production systems, analytical stores, and backups, except where retention is required by law (in which case the same confidentiality and security obligations continue to apply to the retained data).

On request, Adfinia will certify the deletion in writing.

Liability & precedence

The liability provisions of the Terms of Service apply to claims under this DPA. To the extent the SCCs or IDTA impose liability provisions that conflict with the Terms of Service, the SCCs or IDTA control with respect to the transfers they govern.

In case of conflict, the order of precedence is: (1) mandatory provisions of the applicable Data Protection Law; (2) the SCCs or IDTA where they govern a transfer; (3) this DPA; (4) the Terms of Service.

How to counter-sign

You do not need a counter-signed copy of the DPA to be covered by it — accepting the Terms accepts the DPA. We provide counter-signed PDFs for procurement-team records on request.

  1. Email support@adfinia.com with subject "DPA counter-signature request".
  2. Include: (i) the legal entity name that will appear on the customer side, (ii) the registered address, (iii) the name and role of the signatory, (iv) the tenant ID or account email so we can verify the subscription, and (v) any data-protection-officer details you want listed.
  3. We return a signed PDF within 5 business days, with Annex I (parties) populated from the details you provide and Annex III (Sub-processors) reflecting the list current at the date of signature.

Customers on negotiated enterprise terms may execute their own DPA template; in that case the negotiated DPA controls in place of this one.

Specimen counter-signature block
For the Customer (Controller)
For Adfinia (Processor)
Name & title
Name & title
Date
Date

Annexes (reference)

The annexes referenced by the SCCs and this DPA are sourced from the live Platform configuration rather than reproduced as a frozen schedule:

  • Annex I — List of parties. Populated from the Order Form on counter-signature.
  • Annex II — Technical & organisational measures. The current measures are summarised in §5 above and published in full at /legal/security.
  • Annex III — List of Sub-processors. Maintained at /legal/subprocessors, with 30-day prior-notice on changes.
  • Annex IV — Data residency. The current regions and routing rules are published at /legal/regions.