CAPIGMA DATA PROCESSING ADDENDUM (DPA)

Last updated: 01/07/2025

1. PURPOSE

1.1 This Data Processing Addendum (“DPA”) supplements the CAPIGMA Terms & Conditions (“Main Agreement”) between Admixer Advertising GmbH (“CAPIGMA”, “Processor”) and the entity identified in the applicable Order (“Client”, “Controller”).

1.2 The DPA ensures compliance with (i) Regulation (EU) 2016/679 (“GDPR”), (ii) the UK GDPR, and (iii) the Austrian Data Protection Act 2018 (“DSG”).

2. DEFINITIONS

Terms not defined herein have the meaning set out in the GDPR.

  • Personal Data, Processing, Controller, Processor, Sub‑processor, Supervisory Authority, Data Subject – as per GDPR Art. 4.
  • EEA – European Economic Area.
  • Breach – A Personal‑Data Breach under GDPR Art. 4 (12).
  • Technical & Organisational Measures – safeguards in Annex IV.

3. DURATION & SCOPE OF PROCESSING

3.1 This DPA enters into force on the Effective Date and terminates upon deletion of all Personal Data as per § 15.

3.2 CAPIGMA shall Process Personal Data only (i) for the limited and specified purposes described in Annex I, and (ii) on documented instructions of the Controller, unless Union / Member-State law requires otherwise.

3.3 If CAPIGMA believes an instruction infringes Applicable Law, it shall promptly inform the Controller (§ 6.2(d)).

4. DESCRIPTION OF PROCESSING

Annex I describes: categories of Data Subjects; types of Personal Data; nature, purpose and retention of Processing; frequency of transfers; and competent Supervisory Authorities.

5. OBLIGATIONS OF THE CONTROLLER

5.1 Establish and document a lawful basis (GDPR Art. 6) for all Processing carried out via CAPIGMA; obtain explicit consent where required.

5.2 Provide transparent information to Data Subjects, including disclosure of transfers to the USA (Meta) and CAPIGMA’s role as Processor.

5.3 Configure the Service to honour consent preferences and refrain from sending special-category data unless explicitly agreed.

5.4 Maintain accurate records of Processing activities under GDPR Art. 30 (1).

6. OBLIGATIONS OF THE PROCESSOR

6.1 Process Personal Data solely for the purposes set out in Annex I or further documented instructions.

6.2 Compliance:

  • a) Ensure personnel are bound by confidentiality.
  • b) Implement the Technical & Organisational Measures in Annex IV and evaluate them regularly.
  • c) Assist the Controller with Data-Subject requests, DPIAs and prior consultations (GDPR Arts. 35–36).
  • d) Inform the Controller if an instruction is unlawful or unworkable.

6.3 Maintain records of Processing under GDPR Art. 30 (2) and make them available upon request.

6.4 Co-operate with Supervisory Authorities in the performance of their tasks.

7. TECHNICAL & ORGANISATIONAL MEASURES

CAPIGMA’s security framework includes, inter alia: encryption in transit and at rest (TLS 1.3 / AES-256), SHA-256 hashing of contact identifiers, zero-trust IAM, DDoS mitigation, vulnerability management, 24/7 monitoring, incident-response plan, business-continuity & disaster-recovery procedures, and annual ISO/IEC 27001 audits.

8. SUB-PROCESSOR ENGAGEMENT

8.1 The Controller grants general authorisation to CAPIGMA to engage Sub-processors listed in Annex III.

8.2 CAPIGMA shall enter into written agreements with each Sub-processor imposing data-protection obligations no less protective than those in this DPA (GDPR Art. 28 (4)).

8.3 CAPIGMA will notify the Controller at least thirty (30) days before replacing or adding a Sub-processor. The Controller may object on reasonable, documented privacy grounds; if unresolved, either party may terminate the affected Service with pro-rata refund.

9. INTERNATIONAL TRANSFERS

9.1 Where Processing involves a transfer of Personal Data to a third country not subject to an adequacy decision, the parties shall rely on the EU Standard Contractual Clauses 2021/914 (Module Two) or the UK IDTA, as set out in Annex II.

9.2 CAPIGMA will implement supplementary measures (e.g. encryption, pseudonymisation) to ensure essentially equivalent protection (Schrems II compliance).

9.3 Where CAPIGMA’s Sub‑processors are located outside the EEA/UK, CAPIGMA will sign onward‐transfer SCCs/IDTAs and provide copies upon request (commercially redacted).

10. DATA‑SUBJECT RIGHTS ASSISTANCE

10.1 CAPIGMA shall notify the Controller without undue delay if it receives a Data‑Subject request under GDPR Arts. 15–22.

10.2 CAPIGMA shall, to the extent possible, assist the Controller in fulfilling the request within the statutory time limits. Reasonable administrative costs may apply for manifestly unfounded or excessive requests.

11. PERSONAL‑DATA BREACH NOTIFICATION

11.1 CAPIGMA shall notify the Controller without undue delay and, in any event, within seventy‑two (72) hours after becoming aware of a Breach.

11.2 The notification shall describe: (a) the nature of the Breach, (b) categories and approximate number of Data Subjects and records concerned, (c) likely consequences, (d) measures taken or proposed.

11.3 CAPIGMA will promptly investigate, mitigate and keep the Controller informed of progress.

12. AUDIT & CERTIFICATION

12.1 CAPIGMA shall make available all information necessary to demonstrate compliance and, at the Controller’s written request no more than once per year, allow for on‑site or remote audits during Business Hours with thirty (30) days’ notice. Audits shall not unreasonably disrupt CAPIGMA’s operations.

12.2 As an alternative, CAPIGMA may provide recent ISO/IEC 27001 certificates, SOC 2 Type II reports or equivalent third‑party attestations, which the Controller agrees may satisfy audit requirements.

13. DOCUMENTATION & RECORDS

CAPIGMA shall retain evidence of Processing activities, security‑training logs, incident reports and audit trails for a minimum of six (6) years or as mandated by Applicable Law.

14. LIABILITY & INDEMNIFICATION

14.1 Each party’s liability under this DPA is subject to the limitations in the Main Agreement, save that nothing limits liability for breaches of GDPR Art. 82.

14.2 CAPIGMA shall indemnify the Controller against fines or claims arising from CAPIGMA’s breach of this DPA or Applicable Law, to the extent CAPIGMA is at fault.

15. TERMINATION, DELETION & RETURN

15.1 Upon termination of the Main Agreement, CAPIGMA shall, at the Controller’s choice, delete or return all Personal Data (and copies) after thirty (30) days, unless Union / Member‑State law requires retention.

15.2 Confirmation of deletion shall be provided in writing upon request. Backup systems overwrite cycles shall not exceed three (3) years.

16. GOVERNING LAW, JURISDICTION & ORDER OF PRECEDENCE

16.1 This DPA is governed by Austrian law. The parties submit to the exclusive jurisdiction of the Handelsgericht Wien (Commercial Court of Vienna) for all disputes.

ANNEX I – DETAILS OF PROCESSING

A1. Subject Matter – Provision of the CAPIGMA SMG, AMG and SG SaaS components facilitating server‑side event transmission to Meta Conversions API.

A2. Nature & Purpose – Collection, hashing (SHA‑256), deduplication, formatting, forwarding and analytics of event data; account administration; support.

A3. Categories of Data Subjects – End‑users of Controller’s websites/apps; Controller’s employees or agents (account data).

A4. Categories of Personal Data

  • Hashed identifiers (email, phone)
  • IP address, user‑agent, browser/device info
  • Event parameters (page view, purchase, etc.)
  • Meta Access Tokens (OAuth)
  • Account credentials & billing metadata

A5. Special‑Category Data – Not intended; prohibited unless separately agreed.

A6. Retention Schedule

  • Technical logs: indefinite (shorter upon Controller’s request).
  • Meta tokens: 30‑day TTL (activated when the dataset‑quality API is enabled).
  • Raw events: not stored; transit only.

A7. Frequency of Transfer – Continuous, real‑time API calls.

A8. Competent Supervisory Authority – Austrian Data Protection Authority (or UK ICO for UK transfers).

ANNEX II – EU STANDARD CONTRACTUAL CLAUSES & UK IDTA

The parties shall complete, sign and append the latest EU SCC (2021/914, Module Two) and, where applicable, the UK International Data Transfer Addendum (version B1.0), including the Part 1 Tables.

ANNEX III – APPROVED SUB‑PROCESSORS

Name Processing Activity Location Safeguard
Google Cloud Platform Infrastructure hosting, storage, backups EU C2P SCC + ISO 27001
Gmail SMTP (Google Workspace) Transactional e‑mail delivery EU / EEA C2P SCC
Stripe Payments Europe Ltd Automated billing (future) EU & USA C2P SCC + UK Addendum

ANNEX IV – TECHNICAL & ORGANISATIONAL MEASURES

  1. Encryption – TLS 1.3 for data in transit; AES‑256 at rest; hashing of identifiers via SHA‑256.
  2. Access Control – Role‑based IAM, MFA, least‑privilege, quarterly access reviews.
  3. Asset & Patch Management – Automated CVE scanning, 30‑day patch SLA for high‑severity issues.
  4. Monitoring & Logging – Centralised SIEM with real‑time alerts; logs retained 12 months, immutable storage.
  5. Incident Response – 24/7 on‑call team; triage within 15 minutes; documented playbooks; post‑mortems.
  6. Business Continuity – Multi‑zone replication; daily encrypted backups; RPO ≤ 4 hours, RTO ≤ 2 hours.
  7. Employee Security – Background checks, NDA, annual GDPR & security training.
  8. Vendor Management – Risk‑based due‑diligence, SCC/IDTA execution, annual reassessment.
  9. Pen-Testing & Audits – Annual external penetration tests, SOC 2 Type II and ISO/IEC 27001 certification.