DATA PROCESSING ADDENDUM (“DPA”)
Last Updated: 29 April 2025
This Data Processing Addendum (“DPA“) forms part of, and is incorporated by reference into, the Master Publisher Agreement or any other written or electronic agreement (the “Agreement“) between predicto.ai (“predicto.ai“, “we“, “us” or “our“) and the counter‑party that has executed, accepted or otherwise become bound by the Agreement (the “Publisher“, “you” or “your“).
This DPA applies wherever predicto.ai Processes Personal Data on behalf of the Publisher in the course of providing the Services under the Agreement. Where the provisions of this DPA and the Agreement conflict, this DPA shall prevail solely in relation to Personal‑Data Processing.
1 Definitions
| Term | Meaning |
| “Applicable Privacy Laws” | All worldwide data‑protection and privacy legislation and regulations that apply to the Processing of Personal Data under the Agreement, including, without limitation: (i) Regulation (EU) 2016/679 (“GDPR“), the UK GDPR and Data Protection Act 2018, and the Swiss FADP; (ii) the e‑Privacy Directive 2002/58/EC and national implementations; (iii) the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA“) together with other U.S. state privacy statutes; (iv) Brazil’s Lei 13.709/2018 (“LGPD“); and (v) any applicable self‑regulatory frameworks, codes of conduct or industry standards. |
| “Controller” | The entity that determines the purposes and means of the Processing of Personal Data. |
| “Processor” | The entity that Processes Personal Data on behalf of the Controller. |
| “Sub‑processor” | Any third‑party Processor engaged by predicto.ai to Process Personal Data on its behalf. |
| “Data Subject” | An identified or identifiable natural person to whom Personal Data relate. |
| “Personal Data” | Any information relating to an identified or identifiable natural person that is protected as personal data, personal information or a similar term under Applicable Privacy Laws. |
| “Processing” / “Process” | Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, usage, disclosure, dissemination, erasure or destruction. |
| “Standard Contractual Clauses” (“SCCs”) | The EU Controller‑to‑Processor SCCs (Commission Implementing Decision (EU) 2021/914, module 2) together with the UK International Data Transfer Addendum, as applicable. |
2 Roles of the Parties
- Controller → Processor relationship. For the Personal Data described in Annex I, the Publisher is the Controller and predicto.ai is the Processor (and predicto.ai Sub‑processors are sub‑processors). The parties are not joint controllers.
- Independent Controllers (business‑contact data). Each party may Process limited business‑contact data of the other party’s personnel for contract administration, billing and compliance purposes, for which each party acts as an independent Controller.
3 Description of Processing
The subject‑matter, nature and purpose of Processing, the categories of Data Subjects, the types of Personal Data and the duration of Processing are set out in Annex I.
4 Publisher Obligations
- Lawful basis & transparency. Publisher will ensure that it has, and can demonstrate, a valid legal basis (including consent where required) for predicto.ai and its Sub‑processors to lawfully Process Personal Data for the purposes set out in Annex I and in accordance with Applicable Privacy Laws.
- Consent or preference signals. Where consent or opt‑out signals are collected via a consent‑management platform (“CMP”) or other means, Publisher shall transmit such signals to predicto.ai in a format compliant with Applicable Privacy Laws.
- Notice. Publisher shall provide Data Subjects with a clear and comprehensive privacy notice that: (i) accurately describes the collection and use of Personal Data; (ii) discloses sharing with predicto.ai and its Sub‑processors; (iii) explains how Data Subjects may exercise their privacy rights (including any “Do Not Sell or Share” mechanism); and (iv) otherwise complies with Applicable Privacy Laws.
- Children. Publisher shall not knowingly transmit to predicto.ai any Personal Data of users under the minimum age specified by Applicable Privacy Laws (16 years or lower, as applicable).
5 predicto.ai Obligations as Processor
predicto.ai shall:
- Process on documented instructions. Process Personal Data only in accordance with Publisher’s documented instructions (the Agreement and this DPA being such instructions), unless otherwise required by law.
- Confidentiality. Ensure that all persons authorised to Process Personal Data are bound by appropriate confidentiality obligations.
- Security. Maintain the technical and organisational measures described in Annex II and regularly certify compliance with ISO/IEC 27001 and SOC 2 Type II (or equivalent) standards.
- Sub‑processors. Engage Sub‑processors only under the conditions of Section 8 and remain responsible for their acts and omissions.
- Assistance. Provide reasonable assistance to Publisher, taking into account the nature of the Processing and the information available to predicto.ai, in order to: (i) respond to Data Subject requests (Section 6); (ii) conduct data‑protection impact assessments (“DPIAs”) and prior consultations; and (iii) meet other obligations under Applicable Privacy Laws, including Articles 32–36 GDPR.
- Record‑keeping. Maintain records of Processing activities as required by Article 30 GDPR and make them available to supervisory authorities upon request.
6 Data Subject Requests
If predicto.ai receives a request from a Data Subject to exercise rights under Applicable Privacy Laws, predicto.ai will: (i) promptly forward the request to Publisher; and (ii) refrain from responding directly (unless legally required) but will assist Publisher in responding, at Publisher’s cost where such assistance exceeds reasonable internal effort.
7 Personal‑Data Breach
predicto.ai shall notify Publisher without undue delay (and in any event within 72 hours) after becoming aware of a Personal‑Data Breach affecting Personal Data Processed on Publisher’s behalf. The notification shall include, to the extent practicable, the information required by Article 33(3) GDPR. predicto.ai shall promptly take appropriate remedial actions and cooperate with Publisher in any required notifications.
8 Sub‑processors
- Authorised list. predicto.ai Sub‑processors are listed in Annex III.
- Appointment of new Sub‑processors. predicto.ai will provide 30 days’ prior notice of any intended addition or replacement of Sub‑processors. Publisher may object on reasonable data‑protection grounds within that period. If the parties cannot resolve the objection, Publisher may terminate the affected Services without penalty.
- Flow‑down. predicto.ai will impose data‑protection obligations on Sub‑processors that are no less protective than those set out in this DPA.
9 International Transfers
predicto.ai shall not transfer Personal Data outside of: (i) the jurisdiction in which it was collected, or (ii) a jurisdiction recognised as providing an adequate level of protection, unless it first puts in place a lawful transfer mechanism under Applicable Privacy Laws (e.g., SCCs, UK Addendum or other recognised safeguards). The SCCs set out in Annex IV are incorporated by reference and shall apply automatically where required.
10 Audit & Compliance
- Documentation. predicto.ai will, upon reasonable written request, make available documentation necessary to demonstrate compliance with this DPA.
- Audits. Publisher (or an independent auditor it mandates) may audit predicto.ai compliance once per 12‑month period (or more frequently if required by a supervisory authority or in the event of a confirmed Breach), subject to: (i) 30 days’ notice; (ii) mutually‑agreed scope and methods; (iii) execution of an appropriate NDA; and (iv) reimbursement of predicto.ai reasonable costs.
11 Data Retention & Deletion
Upon termination or expiry of the Agreement, predicto.ai will, at Publisher’s choice, delete or return all Personal Data (including copies) Processed on Publisher’s behalf, unless retention is required by law or strictly necessary for dispute‑resolution. In the absence of instructions, predicto.ai will delete the Personal Data within 30 days of termination.
12 Liability & Indemnification
Each party’s liability arising from or relating to this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement, save that no limitation applies to: (i) unauthorised use or disclosure of Personal Data in breach of this DPA; or (ii) any liability that cannot be limited under Applicable Privacy Laws.
13 U.S. State‑Specific Terms
For California residents, predicto.ai acts as a “Service Provider” under the CCPA/CPRA and will not Sell or Share Personal Data, nor retain, use or disclose Personal Data for any purpose other than as specified in the Agreement, unless otherwise permitted by law. predicto.ai will honour any opt‑out signals in accordance with Applicable Privacy Laws and published technical specifications. Comparable commitments apply under other relevant U.S. state privacy statutes where applicable.
14 LGPD & Other Jurisdictions
Where the LGPD or another non‑EU privacy law applies, each party shall comply with its respective obligations thereunder and, where required, execute any standard contractual clauses or equivalent instruments mandated by local law.
15 Data Protection Officer (“DPO”)
predicto.ai has appointed a Data Protection Officer, who can be contacted at dpo@predicto.ai. The DPO shall serve as the primary point of contact for privacy‑related inquiries, including supervisory authority consultations.
16 Changes to this DPA
predicto.ai may update this DPA as necessary to reflect changes in Applicable Privacy Laws or the Services. predicto.ai will provide at least 30 days’ written notice of any material updates. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.
17 Governing Law & Jurisdiction
Unless otherwise required by the SCCs or mandatory law, this DPA — and any dispute arising out of or in connection with it — shall be governed by the laws of Israel, and the competent courts of Tel Aviv shall have exclusive jurisdiction.
Annex I — Details of Processing
| Item | Description |
| Subject‑matter & Nature | Provision of advertising‑technology, analytics, revenue‑attribution and related support services. predicto.ai collects, evaluates and transmits online identifiers and event‑level information to deliver, optimise and report on advertising inventory. |
| Purpose(s) | (a) Delivering contextual and interest‑based advertising; (b) capping frequency, detecting fraud and measuring performance; (c) reporting aggregated campaign metrics; (d) operating, securing, improving and developing the Services; (e) complying with legal obligations. |
| Categories of Data Subjects | End‑users of Publisher’s websites, apps and other digital properties; Publisher personnel (business contacts only). |
| Types of Personal Data | Cookie IDs; mobile advertising IDs (IDFA, GAID, AAID); IP address; user‑agent string; coarse geolocation; device information; page URLs and referrers; timestamp; advertising metrics (impressions, clicks, conversions); consent or preference signals. predicto.ai does not intentionally collect special category data or children’s data. |
| Duration of Processing | For the term of the Agreement plus the retention period in Section 11 of this DPA. |
Annex II — Technical & Organisational Security Measures
- Information‑security programme aligned with ISO/IEC 27001 and SOC 2 Type II, reviewed at least annually.
- Encryption in transit & at rest: TLS 1.2+ for data in motion; AES‑256 (or stronger) for data at rest.
- Access controls: RBAC, unique user IDs, MFA for privileged accounts, centralised logging and monitoring.
- Network security: segmented VPCs, WAF, IDS/IPS, automated DDoS mitigation and firewall rules.
- Application security: secure SDLC, code reviews, static & dynamic testing, annual penetration tests, OWASP Top‑10 safeguards.
- Pseudonymisation & data minimisation: storage of advertising IDs separate from raw event data; aggregation or anonymisation for reporting where feasible.
- Endpoint security: EDR, mandatory patch management and disk encryption on corporate endpoints.
- Business continuity & disaster recovery: geo‑redundant backups with quarterly restoration tests.
- Incident response: documented IRP with 24 / 7 on‑call rotation and defined breach‑notification plan.
Annex III — Authorised Sub‑processors (updated)
| Sub‑processor | Service | Primary Processing Location | Transfer Mechanism |
| Amazon Web Services Inc. | Cloud hosting / storage | USA, EU | SCCs Module 3 + UK Addendum |
| Google LLC | Cloud services & analytics | USA, EU | SCCs Module 3 + UK Addendum |
| Cloudflare Inc. | CDN & security (WAF, DNS) | USA, EU | SCCs Module 3 + UK Addendum |
| Snowflake Inc. | Data‑warehouse platform | USA, EU | SCCs Module 3 + UK Addendum |
| Mixpanel Inc. | Product analytics | USA | SCCs Module 3 + UK Addendum |
| Meta Platforms Ireland Ltd. | Ad delivery & measurement (Meta Pixel / Conversions API) | EU, USA | Publisher‑level SCCs / EU Data Transfer Addendum (controller‑to‑controller) |
| Google Ireland Ltd. | Ad delivery & measurement (Google Ads / Floodlight) | EU, USA | Publisher‑level SCCs (controller‑to‑controller) |
| Pinterest Europe Ltd. | Ad delivery & measurement (Pinterest Tag) | EU, USA | SCCs (controller‑to‑controller) |
| TikTok Information Technologies UK Ltd. | Ad delivery & measurement (TikTok Pixel / Events API) | EU, USA | SCCs (controller‑to‑controller) |
| Snap Inc. | Ad delivery & measurement (Snap Pixel) | USA | SCCs (controller‑to‑controller) |
predicto.ai use of these entities is limited to the Publisher’s instructed pixel or server‑side events implementation. Each of the above Ad Platforms acts as an Independent Third‑Party Controller.
Annex IV — Standard Contractual Clauses (SCCs) & UK Addendum
By executing or accepting the Agreement, the parties enter into the EU SCCs (module 2 — Controller → Processor) and, where applicable, the UK International Data Transfer Addendum, with the following selections:
- Clause 7 (docking) — applies.
- Clause 9 (Sub‑processors) — general authorisation; 30‑day notice.
- Clause 11 (redress) — not included.
- Clause 17 (governing law) — Ireland.
- Clause 18 (forum & jurisdiction) — Ireland.
- Annex I(A) — Data exporter: Publisher; Data importer: predicto.ai.
- Annex I(B) — Description of transfer: see Annex I of this DPA.
- Annex II — Technical & organisational measures: Annex II of this DPA.
- Annex III — List of Sub‑processors: Annex III of this DPA.
IN WITNESS WHEREOF, the parties (or their duly authorised representatives) have caused this DPA to be executed or accepted as of the Effective Date of the Agreement.