AdMesh Data Processing Addendum

Last Updated: March 13, 2026

This Data Processing Addendum ("DPA") is part of the agreement between AdMesh and the customer entity that uses the AdMesh services ("Customer"). It applies when AdMesh processes Customer Personal Data on Customer's behalf in connection with the services.

Quick Summary

  • Customer controls the personal data it sends to AdMesh.
  • AdMesh acts as a processor or service provider when handling that data for the services.
  • AdMesh applies confidentiality, security, and subprocessor controls.
  • AdMesh helps with deletion, data subject requests, and breach notice where required.
  • International transfers use appropriate legal safeguards when needed.

1. Definitions

For purposes of this DPA:

  • "Customer Personal Data" means personal data processed by AdMesh on behalf of Customer under the Agreement.
  • "Data Protection Laws" means applicable laws and regulations governing the processing of personal data, including the GDPR, UK GDPR, and applicable U.S. state privacy laws where relevant.
  • "GDPR" means Regulation (EU) 2016/679.
  • "Services" means the AdMesh platform, APIs, SDKs, and related services provided under the Agreement.
  • "Subprocessor" means a third party engaged by AdMesh to process Customer Personal Data on Customer's behalf.

2. Scope and Roles of the Parties

Customer is the controller or business, or acts on behalf of a controller or business, for Customer Personal Data processed under this DPA. AdMesh acts as a processor or service provider solely to the extent it processes Customer Personal Data on Customer's behalf to provide the Services.

The parties acknowledge that AdMesh may also process certain personal data as an independent controller for its own legitimate business purposes, including account administration, billing, fraud prevention, security, legal compliance, and service improvement. Such controller processing is governed by the applicable agreement and AdMesh's privacy disclosures, not by this DPA.

3. Subject Matter and Duration

The subject matter of this DPA is AdMesh's provision of the Services to Customer.

Processing lasts for the term of the Agreement plus any period during which AdMesh retains Customer Personal Data under the Agreement, this DPA, or applicable law.

Processing may include receiving, storing, organizing, analyzing, transmitting, and otherwise handling Customer Personal Data as needed to operate the Services, provide attribution and measurement, maintain security, support integrations, and follow Customer instructions consistent with the Agreement.

4. Categories of Data and Data Subjects

Depending on Customer's use of the Services, Customer Personal Data may include:

  • account and business contact information;
  • API and integration metadata;
  • query, recommendation, attribution, and event metadata;
  • device, browser, IP, and technical log information;
  • campaign, conversion, and billing-related records;
  • any other personal data Customer chooses to send through the Services.

Data subjects may include Customer personnel, Customer end users, publishers, advertisers, agencies, platform users, and other individuals whose personal data Customer submits to the Services.

Customer is responsible for ensuring that the categories of personal data it submits are appropriate for the Services and permitted under Data Protection Laws.

5. Customer Instructions

AdMesh will process Customer Personal Data only on documented instructions from Customer, unless applicable law requires otherwise. Those instructions include the Agreement, this DPA, and Customer's configuration and use of the Services.

Customer instructs AdMesh to process Customer Personal Data as needed to provide, secure, support, and improve the Services, and to prevent abuse and enforce platform policies, to the extent that work is performed on Customer's behalf.

6. Customer Obligations

  • Customer is responsible for determining whether the Services are appropriate for its processing activities and legal obligations.
  • Customer will provide all required notices and obtain all necessary rights, consents, and permissions for AdMesh to process Customer Personal Data as contemplated by the Agreement.
  • Customer will not instruct AdMesh to process special category data or other highly sensitive data unless expressly agreed in writing.
  • Customer remains responsible for the lawfulness, quality, and accuracy of Customer Personal Data submitted to the Services.

7. Confidentiality and Personnel

AdMesh will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and are given access only as necessary to perform their duties in connection with the Services.

8. Security Measures

AdMesh will implement appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures may include, as appropriate:

  • access controls and role-based permissions;
  • encryption in transit and at rest where appropriate;
  • logging, monitoring, and incident response controls;
  • environment segregation and key management practices;
  • backup, recovery, and resilience procedures;
  • vendor and infrastructure security review processes.

9. Subprocessors

Customer provides general authorization for AdMesh to engage Subprocessors in connection with the Services.

AdMesh will impose data protection obligations on Subprocessors that are no less protective than those set out in this DPA with respect to the processing of Customer Personal Data.

AdMesh will remain responsible for the performance of its Subprocessors to the extent required by Data Protection Laws.

10. Assistance with Data Subject Requests

Taking into account the nature of the processing, AdMesh will provide reasonable assistance to Customer, through appropriate technical and organizational measures where feasible, to help Customer respond to requests from data subjects exercising their rights under Data Protection Laws.

11. Assistance with Compliance

Taking into account the nature of the processing and the information available to AdMesh, AdMesh will provide reasonable assistance to Customer with Customer's obligations regarding security, breach notifications, impact assessments, and prior consultations with supervisory authorities, to the extent required by applicable law.

12. Security Incidents

AdMesh will notify Customer without undue delay after it becomes aware of a confirmed personal data breach affecting Customer Personal Data.

Where reasonably available, the notice will include enough information to help Customer understand the incident, the categories of data affected, and the remediation steps taken or proposed.

13. Audits and Information

AdMesh will make available information reasonably necessary to demonstrate its compliance with this DPA.

Where required by Data Protection Laws, Customer may request a reasonable audit or inspection, subject to confidentiality, security, scope, timing, and cost controls, and only to the extent such information cannot reasonably be satisfied through existing documentation, reports, or certifications.

14. Return and Deletion of Data

When the applicable Services end, AdMesh will delete or return Customer Personal Data unless retention is required by law, needed for security or fraud prevention, or allowed under the Agreement for backup, dispute resolution, or compliance purposes.

15. International Transfers

Customer authorizes AdMesh and its Subprocessors to process Customer Personal Data in the United States and other countries in which AdMesh or its Subprocessors operate, provided that AdMesh implements an appropriate lawful transfer mechanism when required by Data Protection Laws.

If applicable, the parties will cooperate in good faith to implement appropriate transfer safeguards, which may include the European Commission's Standard Contractual Clauses and, where required for UK transfers, the UK International Data Transfer Addendum or another recognized safeguard.

The parties acknowledge that data transfer obligations may vary by jurisdiction and that supplementary measures may be appropriate depending on the transfer scenario.

16. CCPA and Similar U.S. Laws

To the extent AdMesh processes personal information subject to the California Consumer Privacy Act or similar U.S. state privacy laws, AdMesh will act as a service provider or processor, as applicable, and will not sell or share such personal information except as permitted by those laws and the Agreement.

AdMesh will process such personal information only for the business purposes set out in the Agreement and this DPA, or as otherwise permitted by applicable law.

17. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA will control solely with respect to the processing of Customer Personal Data. Except as expressly modified by this DPA, the Agreement remains in full force and effect.

18. Annex A

The following information describes the processing covered by this DPA:

  • Subject matter: provision of AdMesh's advertising, attribution, monetization, and analytics services.
  • Duration: the term of the Agreement and any authorized retention period.
  • Nature and purpose: service delivery, event processing, attribution, fraud prevention, security, support, analytics, and customer-directed integrations.
  • Categories of data subjects: Customer users, end users, publishers, advertisers, agencies, platform users, and personnel.
  • Categories of personal data: business contact information, technical and device data, event data, query and recommendation metadata, billing data, and other personal data Customer submits to the Services.

19. Contact

For questions about this DPA, contact legal@useadmesh.com.