Data Processing Addendum

1. Definitions

Capitalised terms not defined here have the meaning given in the Agreement, the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act as amended ("CCPA"), or other Data Protection Laws as applicable.

• Customer Data — Personal Data that EasyAds Processes on behalf of the Customer through the Service, including data Customer or its Authorised Users upload, configure, or instruct EasyAds to read from connected third-party platforms (Meta, Google, Stripe).
• Data Protection Laws — all laws applicable to the Processing of Personal Data under the Agreement, including the GDPR, the UK GDPR, the Hungarian Information Act (Act CXII of 2011), and the CCPA / CPRA.
• Data Subject Request — a request from a Data Subject to exercise rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection, opt-out of sale or sharing).
• Process / Processing — has the meaning given in GDPR Article 4(2).
• Security Event — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.
• Sub-processor — a third party engaged by EasyAds to Process Customer Data, listed in Section 4.

2. Roles and Subject Matter

For the purposes of this DPA:

• Customer is the Controller (or, where applicable, a Processor acting on instructions from a higher-tier Controller).
• EasyAds is the Processor.
• Each party shall comply with the obligations applicable to it under Data Protection Laws.

Subject matter and duration: EasyAds Processes Customer Data only to provide the Service for the duration of the Agreement plus the retention windows set out in Section 9.

Nature and purpose of Processing: automated management of Customer's Meta (Facebook / Instagram) advertising — strategy generation, creative production, audience configuration, budget optimisation, performance reporting, customer-CAPI event forwarding, and the related operations described in the Privacy Policy.

Categories of Data Subjects: Customer's end-customers, prospects, and website visitors whose data flows through Customer's connected pixel / CAPI; Customer's Authorised Users (employees, agents, contractors).

Categories of Personal Data: contact identifiers (name, email, phone where supplied to CAPI), online identifiers (IP, browser identifiers, Meta click IDs), behavioural and event data (pageview, add-to-cart, purchase events), commercial data (purchase value, currency, order ID), and account information for Authorised Users (name, email, password hash).

3. Customer Instructions

EasyAds shall Process Customer Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by Data Protection Laws applicable to EasyAds. The Agreement, the Service's configuration options (Settings), and Customer's use of the Service constitute Customer's documented instructions.

If EasyAds is required by law to Process Customer Data otherwise than as instructed, EasyAds shall notify Customer of that legal requirement before Processing, unless that law prohibits such notice on important grounds of public interest.

EasyAds shall promptly inform Customer if, in EasyAds' opinion, an instruction infringes Data Protection Laws.

4. Sub-processors

Customer authorises EasyAds to engage Sub-processors to Process Customer Data. EasyAds maintains a current list of Sub-processors on the Privacy Policy (Section 5) which forms part of this DPA. The list as at the effective date of this DPA includes:

• Stripe (USA) — payment processing & subscription management
• Resend (USA) — transactional email delivery
• Anthropic (USA) — AI language models for strategy / optimisation
• Google / Gemini (USA) — AI image and copy generation
• Meta Platforms (USA) — Meta Marketing API and marketing-page Pixel attribution
• Vercel (USA / EU) — application hosting and edge runtime
• Neon (USA / EU) — managed PostgreSQL database
• Sentry (USA) — error reporting and exception monitoring

EasyAds shall impose obligations on each Sub-processor that are no less protective than those in this DPA. EasyAds remains liable to Customer for the acts and omissions of its Sub-processors as if they were its own.

Notice of new Sub-processors: EasyAds shall update the Privacy Policy list and notify Customer (by email or in-product banner) at least 14 days before a new Sub-processor begins Processing Customer Data. Customer may object on reasonable, specific grounds related to data protection within that notice window. If the parties cannot resolve the objection in good faith, Customer's sole remedy is to terminate the affected portion of the Service for convenience without penalty.

5. International Transfers

Several Sub-processors are located outside the EEA / UK / Switzerland. For transfers from the EEA / UK / Switzerland to a third country that does not benefit from an adequacy decision, EasyAds relies on:

• EU Standard Contractual Clauses (Module 3 — Processor-to-Processor) approved by Commission Implementing Decision (EU) 2021/914, as the Module that fits the Customer-as-Controller / EasyAds-as-Processor relationship; OR Module 2 (Controller-to-Processor) where applicable;
• For UK transfers: the UK International Data Transfer Addendum (IDTA) to the EU SCCs, issued by the UK Information Commissioner's Office (ICO);
• For Swiss transfers: the SCCs as recognised by the Federal Data Protection and Information Commissioner (FDPIC).

The applicable SCCs / IDTA are incorporated into this DPA by reference. Customer accepts the SCCs by accepting this DPA. Copies executed by EasyAds are available on request.

6. Security Measures

EasyAds shall implement and maintain appropriate technical and organisational measures to protect Customer Data against Security Events, taking into account the state of the art, the costs of implementation, the nature of the Processing, and the risks to Data Subjects (GDPR Article 32). The current measures are described in the Security page and include, at minimum:

• Passwords stored as bcrypt hashes (cost factor 12); plaintext passwords are never stored or logged
• Meta access tokens encrypted at rest with AES-256-GCM
• TLS 1.2+ for all data in transit
• API keys stored as SHA-256 hashes; raw keys shown once at creation only
• Session cookies are httpOnly, Secure, SameSite=Lax
• Workspace-scoped authorisation enforced on every API endpoint
• Rate limiting on registration, login, and AI endpoints
• OAuth state HMAC-SHA256 signed and bound to the authenticated user
• Backups retained for up to 30 days then overwritten

EasyAds shall ensure that personnel authorised to Process Customer Data are bound by confidentiality obligations and have received appropriate data-protection training.

7. Security Event Notification

EasyAds shall notify Customer of a Security Event affecting Customer Data without undue delay and in any event within 72 hours of becoming aware of it. The notification shall include:

• A description of the nature of the Security Event including (where possible) the categories and approximate number of Data Subjects and Personal Data records concerned;
• The name and contact details of EasyAds' data-protection point of contact (currently help@goeasyads.com);
• A description of the likely consequences of the Security Event;
• A description of the measures taken or proposed to address the Security Event including measures to mitigate its possible adverse effects.

Where EasyAds cannot provide all of the above information at once, the information may be provided in phases without further undue delay.

8. Data Subject Requests

Taking into account the nature of the Processing, EasyAds shall assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to Data Subject Requests under Data Protection Laws.

If EasyAds receives a Data Subject Request directly relating to Customer Data, EasyAds shall (a) advise the Data Subject to direct the request to Customer; and (b) promptly notify Customer.

Customer can exercise the most common Data Subject Requests directly in the Service (Settings → Account → Export my data; Settings → Account → Delete account). For other requests, Customer may contact help@goeasyads.com.

9. Audits

EasyAds shall make available to Customer on reasonable written request all information necessary to demonstrate compliance with the obligations laid down in this DPA, and shall allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

To minimise duplicative audit burden across EasyAds' entire customer base, the parties agree:

• EasyAds' written responses to Customer's reasonable security questionnaire shall be the first form of audit evidence.
• On-site or technical audits shall be limited to no more than once per 12 months unless a Security Event or material change has occurred, conducted on no less than 30 days' written notice, during EasyAds' normal business hours, and at Customer's expense.
• Audits may not unreasonably interfere with EasyAds' operations or compromise the confidentiality of other customers' data.

10. Return / Deletion of Customer Data

On termination of the Agreement, EasyAds shall, at Customer's choice, delete or return all Customer Data and delete existing copies, unless Data Protection Laws require storage. Default behaviour: within 30 days of account deletion (the standard backup-retention window described in the Privacy Policy), all Customer Data is deleted from primary databases and overwritten in backups.

Customer may request a final export of Customer Data via Settings → Account → Export my data, or by emailing help@goeasyads.com at least 7 days before terminating.

11. CCPA / CPRA

For Personal Information of California residents, the parties acknowledge that EasyAds is a "Service Provider" (as defined in the CCPA / CPRA). EasyAds shall not:

• Sell or Share (as defined under the CCPA / CPRA) Personal Information received from Customer;
• Retain, use, or disclose Personal Information for any purpose other than the specific business purposes set forth in the Agreement;
• Retain, use, or disclose Personal Information outside of the direct business relationship between Customer and EasyAds;
• Combine Personal Information received from Customer with Personal Information from another source, except as expressly permitted by the CCPA.

EasyAds certifies that it understands the foregoing restrictions and shall comply with them.

12. Liability

Each party's liability under this DPA, taken together with all liability under the Agreement, is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability where such limitation is prohibited by Data Protection Laws.

13. Order of Precedence

If there is any conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict. If there is any conflict between this DPA and any Standard Contractual Clauses incorporated by reference under Section 5, the Standard Contractual Clauses prevail.

14. Governing Law and Jurisdiction

This DPA is governed by the same governing law as the Agreement (United Arab Emirates / Sharjah), without prejudice to any mandatory provisions of Data Protection Laws applicable to a Data Subject's rights or to disputes arising under the Standard Contractual Clauses, which retain their own governing law and jurisdiction (typically the law of an EU Member State).

15. Contact

Data-protection point of contact for this DPA:

Email: help@goeasyads.com (subject line "DPA inquiry")
Orosz Enterprises FZE LLC
Business Centre, Sharjah Publishing City Free Zone
Sharjah, United Arab Emirates
Formation No.: 4428075 · Licence No.: 4428075.01

Drafting credits

The structure of this DPA is adapted from the open-source Common Paper Data Processing Agreement, with EasyAds-specific clauses for the Meta Marketing API processing context. Hosted at https://app.goeasyads.com/dpa.