Data Processing Agreement

Last updated: June 1, 2026 | Adstorm LLC

1. Definitions

For the purposes of this Data Processing Agreement, the following terms shall have the meanings set out below:

• "Agreement" means this Data Processing Agreement together with any schedules, annexes, or amendments attached hereto.
• "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this Agreement, including but not limited to: the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018; the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act ("CCPA/CPRA"); and any other applicable national or regional data protection legislation.
• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of this Agreement, the Controller is the Client.
• "Processor" means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. In the context of this Agreement, the Processor is Adstorm LLC.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law. For the purposes of CCPA, this includes "personal information" as defined in Cal. Civ. Code § 1798.140(v).
• "Processing" means any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Sub-Processor" means any processor engaged by Adstorm LLC (or by any other Sub-Processor) who agrees to receive Personal Data from Adstorm LLC exclusively intended for processing activities carried out on behalf of the Controller.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 adopted by the European Commission under Decision (EU) 2021/914.
• "Services" means the consulting, paid advertising management, media buying, analytics, and related marketing services provided by Adstorm LLC to the Client under the MSA or SOW.
• "Technical and Organizational Measures" or "TOMs" means the security and organizational safeguards implemented by Adstorm LLC to protect Personal Data, as described in Section 9 of this Agreement.

2. Scope and Purpose

2.1 Scope of Processing. This Agreement governs the processing of Personal Data by Adstorm LLC on behalf of the Client in connection with the provision of the Services. The details of the processing activities, including the subject matter, duration, nature, purpose, type of Personal Data, and categories of Data Subjects, are set out in Schedule 1 (Processing Details) to this Agreement.

2.2 Role Acknowledgment. The parties acknowledge and agree that with regard to the processing of Personal Data described in Schedule 1, the Client is the Controller and Adstorm LLC is the Processor. This Agreement does not apply to processing for which Adstorm LLC acts as a Controller in its own right (for example, processing of the Client's contact and billing data for account management purposes), which is governed by Adstorm LLC's Privacy Policy.

2.3 Incorporation. This DPA is incorporated into and forms part of the MSA or SOW between the parties. In the event of a conflict between this DPA and the MSA or SOW regarding data protection matters, this DPA shall prevail. For all other matters, the MSA or SOW shall prevail.

2.4 Instructions. Adstorm LLC shall process Personal Data only on documented instructions from the Client, including with regard to transfers of Personal Data to third countries or international organizations, unless required to do so by Applicable Data Protection Law to which Adstorm LLC is subject. In such cases, Adstorm LLC shall inform the Client of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

3. Obligations of Adstorm LLC as Processor

3.1 Compliance with Instructions. Adstorm LLC shall process Personal Data only in accordance with the Client's written instructions as set out in this Agreement and the applicable SOW. If Adstorm LLC reasonably believes that an instruction infringes Applicable Data Protection Law, it shall promptly notify the Client.

3.2 Confidentiality of Processing. Adstorm LLC shall ensure that persons authorized to process Personal Data under this Agreement are bound by appropriate obligations of confidentiality, whether under contractual duty or statutory obligation. Adstorm LLC shall ensure that access to Personal Data is limited to authorized personnel who need such access to perform the Services.

3.3 Security Measures. Adstorm LLC shall implement and maintain the Technical and Organizational Measures set out in Section 9 of this Agreement to ensure a level of security appropriate to the risk. Adstorm LLC shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of Data Subjects.

3.4 Assistance with Data Subject Rights. Taking into account the nature of the processing, Adstorm LLC shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, to fulfill the Client's obligation to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Law. Adstorm LLC shall promptly forward to the Client any Data Subject request received and shall not respond to such requests without prior authorization from the Client, except to confirm receipt.

3.5 Assistance with Compliance Obligations. Adstorm LLC shall assist the Client in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR (security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to Adstorm LLC.

3.6 Deletion or Return of Data. Upon termination or expiry of the Services, and at the Client's election, Adstorm LLC shall either delete or return all Personal Data to the Client and delete existing copies of such data, unless retention is required under Applicable Data Protection Law. Adstorm LLC shall confirm in writing that it has complied with this obligation.

3.7 Audit and Cooperation. Adstorm LLC shall make available to the Client all information necessary to demonstrate compliance with the obligations set out in this Agreement and shall allow for and contribute to audits and inspections conducted by the Client or a third-party auditor mandated by the Client, subject to the conditions set out in Section 12 of this Agreement.

3.8 No Sale of Personal Data. Adstorm LLC shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate Personal Data to a third party for monetary or other valuable consideration, as those terms are defined under the CCPA/CPRA or any other Applicable Data Protection Law.

4. Obligations of the Client as Controller

4.1 Lawfulness of Instructions. The Client represents and warrants that it has the authority to provide the instructions given to Adstorm LLC and that processing of Personal Data in accordance with such instructions will not violate Applicable Data Protection Law.

4.2 Legal Basis for Processing. The Client is solely responsible for establishing and maintaining a valid legal basis (as applicable under the GDPR or other Applicable Data Protection Law) for each processing activity for which it instructs Adstorm LLC. The Client warrants that all necessary consents from Data Subjects have been obtained or that another legal basis applies.

4.3 Transparency to Data Subjects. The Client shall ensure that appropriate privacy notices are provided to Data Subjects before or at the time their Personal Data is collected, informing them of the processing activities described in Schedule 1 and the Client's engagement of Adstorm LLC as a processor.

4.4 Accuracy and Minimization. The Client shall ensure that Personal Data provided to Adstorm LLC is accurate, adequate, relevant, and limited to what is necessary for the specified processing purposes. The Client is responsible for ensuring that Personal Data is not excessive or irrelevant for the stated purposes.

4.5 Data Protection Impact Assessments. The Client is responsible for conducting any required Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR in connection with the processing activities. Adstorm LLC will provide reasonable assistance in completing such assessments upon request.

4.6 Compliance with Controller Obligations. The Client shall comply with all obligations applicable to it as a Controller under Applicable Data Protection Law and shall not instruct Adstorm LLC to process Personal Data in a manner that would constitute a violation of Applicable Data Protection Law.

5. Data Subject Rights

5.1 Forwarding Requests. If Adstorm LLC receives a request from a Data Subject seeking to exercise any rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, or objection), Adstorm LLC shall forward such request to the Client within 5 business days of receipt without responding to the request on the Client's behalf.

5.2 Technical Assistance. Adstorm LLC shall provide reasonable technical assistance to the Client to facilitate the Client's response to Data Subject rights requests, including (where technically feasible and within Adstorm LLC's control) the ability to access, correct, restrict, delete, or export Personal Data.

5.3 Response Timeline. Adstorm LLC shall use commercially reasonable efforts to provide the technical assistance requested by the Client within a timeframe that enables the Client to respond to Data Subject requests within the deadlines required by Applicable Data Protection Law (typically 30 days under GDPR, or 45 days under CCPA).

5.4 No Independent Response. Adstorm LLC shall not respond to, fulfill, deny, or otherwise address Data Subject requests independently without the prior written authorization of the Client, except where required by Applicable Data Protection Law.

6. Sub-Processors

6.1 General Authorization. The Client grants Adstorm LLC general written authorization to engage Sub-Processors, subject to the requirements set out in this Section 6. Adstorm LLC shall maintain an up-to-date list of Sub-Processors and make it available to the Client upon request.

6.2 Notification of New Sub-Processors. Before engaging any new Sub-Processor or making material changes to an existing Sub-Processor engagement, Adstorm LLC shall provide the Client with at least 14 days' prior written notice. The Client shall have the opportunity to object to such changes for reasonable grounds related to data protection compliance. If the Client objects and the parties cannot resolve the matter within 30 days, either party may terminate the affected services without penalty.

6.3 Sub-Processor Requirements. Adstorm LLC shall, before engaging any Sub-Processor:

• Conduct reasonable due diligence on the Sub-Processor's data protection practices
• Enter into a written agreement with the Sub-Processor that imposes data protection obligations equivalent to those imposed on Adstorm LLC under this Agreement
• Ensure that appropriate Technical and Organizational Measures are in place at the Sub-Processor level
• Ensure that international data transfers by the Sub-Processor comply with the requirements set out in Section 8 of this Agreement

6.4 Liability for Sub-Processors. Adstorm LLC shall remain liable to the Client for the performance of the Sub-Processor's data protection obligations. If a Sub-Processor fails to fulfill its data protection obligations, Adstorm LLC shall remain fully liable to the Client for the performance of the Sub-Processor's obligations.

7. International Data Transfers

7.1 General Principle. Neither party shall transfer Personal Data to a country or territory outside the European Economic Area (EEA), UK, or Switzerland unless appropriate safeguards are in place as required by Applicable Data Protection Law.

7.2 Adstorm LLC as Processor. Adstorm LLC is based in the United Arab Emirates. To the extent that processing activities under this Agreement involve transfers of Personal Data from the EEA, UK, or Switzerland to the UAE, the parties shall execute the relevant Standard Contractual Clauses as an annex to this Agreement, or rely on any adequacy decision that may be in force for the UAE at the time of transfer.

7.3 Standard Contractual Clauses. Where SCCs apply, the parties agree that:

• The EU SCCs (Module 2: Controller to Processor) adopted by European Commission Decision (EU) 2021/914 are incorporated by reference into this Agreement
• The UK IDTA or UK Addendum to the EU SCCs shall apply to transfers from the UK as required
• The applicable Annex I, II, and III information to the SCCs is set out in Schedule 1 and Schedule 2 of this Agreement

7.4 Sub-Processor Transfers. Adstorm LLC shall ensure that any Sub-Processor it appoints in a third country is bound by transfer mechanisms that provide equivalent protection as required by Applicable Data Protection Law.

7.5 Transfer Impact Assessments. Where required by law or on reasonable request by the Client, Adstorm LLC shall cooperate in performing Transfer Impact Assessments (TIAs) for any international data transfers covered by this Agreement.

8. Security Measures

8.1 General Standard. Adstorm LLC shall implement and maintain appropriate Technical and Organizational Measures to protect Personal Data against unauthorized access, accidental or unlawful destruction, alteration, or disclosure. Adstorm LLC shall take into account the risks that are presented by the processing activities, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

8.2 Specific Technical Measures. Adstorm LLC's security program includes, at minimum, the following technical measures:

• Encryption in transit: All Personal Data transmitted between systems or to external parties is encrypted using TLS 1.2 or higher
• Encryption at rest: Personal Data stored in databases and file systems is encrypted at rest using AES-256 or equivalent standards
• Access controls: Role-based access control (RBAC) limiting access to Personal Data to authorized personnel on a need-to-know basis
• Authentication: Multi-factor authentication (MFA) required for access to systems processing Personal Data
• Pseudonymization: Where technically feasible, Personal Data is pseudonymized to reduce the risk in case of unauthorized access
• Vulnerability management: Regular security assessments, penetration testing, and vulnerability scanning of systems processing Personal Data
• Logging and monitoring: Activity logs maintained for access to and processing of Personal Data, with monitoring for anomalous access patterns
• Backup and recovery: Regular encrypted backups of Personal Data with tested recovery procedures to ensure resilience and availability

8.3 Organizational Measures. Adstorm LLC's security program includes, at minimum, the following organizational measures:

• A documented information security policy reviewed at least annually
• Mandatory privacy and security awareness training for all personnel with access to Personal Data
• Contractual confidentiality and data protection obligations for all employees and contractors
• A documented incident response and breach notification procedure
• Regular review and audit of access rights and permissions
• Vendor and supplier security assessment procedures before onboarding
• Physical access controls at facilities where Personal Data is processed

8.4 Security Updates. Adstorm LLC shall keep security measures up to date in accordance with the current state of the art and technological developments. Adstorm LLC shall notify the Client if it intends to make changes to its security measures that would materially reduce the level of protection afforded to the Client's Personal Data.

9. Personal Data Breach Notification

9.1 Notification Timeline. Adstorm LLC shall notify the Client without undue delay and, in any event, within 72 hours of becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Client under this Agreement. Where notification cannot be made within 72 hours, Adstorm LLC shall notify the Client as soon as possible and shall provide the reasons for the delay.

9.2 Content of Notification. The notification shall, at minimum, include:

• A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the data protection contact point at Adstorm LLC who can provide further information
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to be taken by Adstorm LLC to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

9.3 Investigation and Remediation. Adstorm LLC shall promptly investigate the Personal Data Breach and take all reasonable steps to identify the cause, mitigate ongoing harm, remediate the breach, and prevent recurrence. Adstorm LLC shall keep the Client informed of the progress of the investigation and any additional findings.

9.4 Assistance with Regulatory Notification. Adstorm LLC shall cooperate with and assist the Client in the Client's notifications to Data Subjects and supervisory authorities as required under Applicable Data Protection Law. The Client remains solely responsible for determining whether notification to supervisory authorities and/or Data Subjects is legally required and for making such notifications.

9.5 No Admission. Adstorm LLC's notification of a Personal Data Breach does not constitute an admission of fault or liability, nor does it necessarily mean that the Personal Data Breach is reportable to a supervisory authority.

10. Data Protection Impact Assessments and Prior Consultation

10.1 Adstorm LLC shall provide reasonable assistance to the Client for the preparation of Data Protection Impact Assessments (DPIAs) required under Article 35 of the GDPR and for any prior consultations with supervisory authorities required under Article 36 of the GDPR.

10.2 The Client shall inform Adstorm LLC of any DPIA findings that require changes to the processing activities or the Technical and Organizational Measures in place at Adstorm LLC. The parties shall cooperate in good faith to implement any necessary changes.

11. Audit Rights

11.1 Information and Documentation. Adstorm LLC shall maintain complete, accurate, and up-to-date records of processing activities carried out under this Agreement, and shall make such documentation available to the Client upon reasonable written request.

11.2 On-Site Audit. Adstorm LLC shall, no more than once per calendar year (except where a Personal Data Breach has occurred or a regulatory investigation is underway), allow the Client or its designated third-party auditor to conduct an audit of Adstorm LLC's data processing facilities and procedures to verify compliance with this Agreement. The Client shall provide at least 30 days' prior written notice of any proposed audit.

11.3 Conditions for Audit. Any audit conducted pursuant to this Section shall:

• Be subject to reasonable confidentiality obligations
• Be conducted during normal business hours and in a manner that minimizes disruption to Adstorm LLC's business operations
• Not include access to systems or data relating to other Adstorm LLC clients
• Be carried out at the Client's expense, unless the audit reveals a material breach of this Agreement by Adstorm LLC

11.4 Certification as Substitute. Upon the Client's reasonable request, and as an alternative to an on-site audit, Adstorm LLC may satisfy its audit obligations by providing the Client with current third-party security certifications, audit reports (e.g., SOC 2 Type II), or information security questionnaire responses, to the extent that such documents demonstrate compliance with the obligations under this Agreement.

12. Duration and Termination

12.1 Term. This Agreement shall enter into force on the effective date of the MSA or SOW between the parties and shall remain in force for the duration of the Services, unless terminated earlier in accordance with this Section or the MSA.

12.2 Effect of Termination. Upon termination of the Services for any reason, each party's rights and obligations under this Agreement shall terminate, except for obligations relating to events or acts that occurred prior to termination and any obligations that expressly survive termination.

12.3 Termination for Data Protection Breach. Either party may terminate this Agreement and the underlying Services immediately upon written notice if the other party materially breaches this Agreement and fails to cure such breach within 30 days of receiving written notice of the breach, or if the breach is of a nature that cannot be remedied.

12.4 Survival. The following provisions shall survive termination of this Agreement: Section 1 (Definitions), Section 3.8 (No Sale of Personal Data), Section 7 (International Data Transfers), Section 9.5 (No Admission), Section 13 (Data Return and Deletion), Section 14 (Liability), Section 15 (Governing Law), and any provisions that by their nature should survive.

13. Data Return and Deletion

13.1 Return of Data. Upon termination or expiry of this Agreement, or at any time upon the Client's written request, Adstorm LLC shall return to the Client all Personal Data (and copies thereof) in a commonly used, machine-readable format within 30 days.

13.2 Deletion. Unless the Client requests return of data, or unless Applicable Data Protection Law requires Adstorm LLC to retain the Personal Data, Adstorm LLC shall securely delete all Personal Data (and copies thereof) within 30 days of termination of this Agreement. Deletion shall be performed using industry-standard methods that render the data unrecoverable.

13.3 Confirmation of Deletion. Adstorm LLC shall provide the Client with written certification of the deletion of Personal Data within 30 days of completing the deletion process. Such certification shall describe the deletion method used and confirm that all copies have been destroyed.

13.4 Backup Data. Personal Data contained in system backups maintained by Adstorm LLC for business continuity purposes will be deleted in the ordinary course of the backup rotation schedule, provided that Adstorm LLC shall not restore such backup data in a manner that would result in re-introduction of deleted Personal Data into live systems.

13.5 Legal Retention Obligations. To the extent that Adstorm LLC is required by Applicable Data Protection Law or other applicable law to retain copies of certain Personal Data beyond the termination of this Agreement, Adstorm LLC shall notify the Client of such requirement, retain only the minimum data required, and shall isolate and protect such data from further processing inconsistent with this Agreement until deletion is permitted.

14. Liability

14.1 Allocation of Liability. Each party's liability under this Agreement shall be subject to any limitations of liability set out in the MSA or SOW. Where Applicable Data Protection Law permits the parties to agree on the allocation of liability (including under Article 82 of the GDPR), the parties agree that liability shall be allocated in proportion to each party's responsibility for the damage suffered.

14.2 Processor Liability. Adstorm LLC shall be liable for damage caused by processing where it has not complied with the obligations of this Agreement specifically directed at processors, or where it has acted outside of or contrary to the lawful instructions of the Client.

14.3 Controller Liability. The Client shall be liable for damage caused by processing where it has not complied with its obligations as Controller under Applicable Data Protection Law or where it has provided instructions to Adstorm LLC that violate Applicable Data Protection Law.

14.4 Regulatory Fines. Each party shall be responsible for and indemnify the other against any regulatory fines or penalties imposed on the other party by a supervisory authority to the extent that such fines are attributable to the indemnifying party's failure to comply with its obligations under this Agreement or Applicable Data Protection Law.

14.5 No Consequential Damages. To the maximum extent permitted by Applicable Data Protection Law and the MSA, neither party shall be liable to the other for indirect, incidental, special, consequential, or punitive damages arising from this Agreement, except in cases of willful misconduct, gross negligence, or as required by mandatory law.

15. General Provisions

15.1 Amendments. This Agreement may be amended by mutual written agreement of the parties. Where an amendment is required by a change in Applicable Data Protection Law or by a regulatory authority, Adstorm LLC may propose such an amendment with 30 days' written notice, and the Client shall not unreasonably withhold consent.

15.2 Entire Agreement. This Agreement, together with its Schedules and the MSA or SOW, constitutes the entire agreement between the parties with respect to data protection and supersedes all prior discussions, negotiations, or agreements on the same subject matter.

15.3 Severability. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The parties shall replace the invalid or unenforceable provision with one that is valid and enforceable and that achieves, to the greatest extent possible, the original intent of the parties.

15.4 No Third-Party Beneficiaries. Nothing in this Agreement creates any rights enforceable by third parties. Data Subjects' rights are governed by Applicable Data Protection Law and not by this Agreement.

16. Governing Law and Dispute Resolution

16.1 Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the United Arab Emirates and the applicable regulations of Shams Media City Free Zone, without regard to conflict of law principles. Where GDPR governs specific processing activities, the interpretation of those provisions shall be consistent with EU data protection law.

16.2 Regulatory Authority Jurisdiction. Nothing in this Section shall limit or restrict the rights of any supervisory authority (including the UK ICO, EU data protection authorities, or the California Privacy Protection Agency) to investigate or take enforcement action against either party in its respective jurisdiction.

16.3 Dispute Resolution. Any dispute arising out of or in connection with this Agreement shall first be subject to good-faith negotiation between senior representatives of the parties. If the dispute is not resolved within 30 days of written notice, it shall be referred to binding arbitration under the rules of the Dubai International Arbitration Centre (DIAC), conducted in English. The seat of arbitration shall be Dubai, UAE.

17. Signatories and Execution

This Data Processing Agreement is incorporated by reference into the Master Services Agreement or Statement of Work signed between the parties. Execution of the MSA or SOW constitutes execution of and agreement to this DPA without the need for separate signatures.

If a separately signed DPA is required by law or by the Client's policies, please contact us at privacy@adstorm.agency to request an executed copy.

Schedule 1 - Processing Details

The following details describe the processing activities governed by this Agreement. These details shall be updated or supplemented as needed by a mutually agreed written amendment or by reference to the applicable SOW.

Schedule 2 - Technical and Organizational Measures

Adstorm LLC commits to the following Technical and Organizational Measures as a minimum standard for the protection of Personal Data processed under this Agreement:

• Encryption: TLS 1.2+ for all data in transit; AES-256 encryption for sensitive data at rest
• Access Control: Role-based access control; principle of least privilege; regular access reviews and prompt revocation upon role change or departure
• Authentication: Multi-factor authentication (MFA) for all systems processing Personal Data; strong password policies
• Network Security: Firewalls and intrusion detection systems; network segmentation; regular penetration testing
• Endpoint Security: Anti-malware and endpoint detection software; encrypted device storage; remote wipe capability for mobile devices
• Audit Logging: Comprehensive activity logs for access and changes to Personal Data; log retention for minimum 12 months; regular log review
• Incident Response: Documented and tested incident response plan; designated breach response team; 72-hour notification procedure
• Backup and Recovery: Encrypted regular backups; tested restoration procedures; off-site or cloud backup retention
• Vendor Management: Written agreements with all Sub-Processors imposing equivalent protections; periodic Sub-Processor security review
• Training: Annual mandatory data protection and security awareness training for all staff; additional training upon significant regulatory changes
• Physical Security: Access controls for physical facilities; secure disposal of physical media; clear desk policy
• Data Minimization: Collection and retention of only data necessary for the specified purposes; regular data inventory and purge reviews