When we touch your customers' personal data, you're the controller, we're the processor. GDPR Art. 28 terms apply. Standard Contractual Clauses cover EU/UK transfers. 72-hour breach notification. Sub-processor list is public and you get 30 days' notice before changes.
Scope and roles
This Data Processing Addendum (“DPA”) forms part of the agreement between you (the “Controller” or “Client”) and Highstone Media, LLC (the “Processor”) for the services described in the applicable Statement of Work and our Terms of Service. It governs any Processing of Personal Data we perform on the Client's behalf.
Where the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR, or the Swiss Federal Act on Data Protection apply, the Client acts as Controller and Highstone acts as Processor. Where the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”) applies, the Client is the Business and Highstone is the Service Provider.
By signing a Statement of Work, the Client also signs this DPA. Each party warrants that the individual signing the SOW has authority to bind it under this DPA.
Definitions
- Personal Data
- Has the meaning given in GDPR Art. 4(1) and equivalent definitions under UK GDPR, Swiss FADP, and CCPA/CPRA.
- Processing
- Has the meaning given in GDPR Art. 4(2).
- Data Subject
- The natural person to whom Personal Data relates.
- Sub-processor
- Any third party engaged by Highstone to Process Personal Data on the Client's behalf.
- Data Protection Laws
- GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, and any other privacy or data-protection law applicable to the parties' Processing under this DPA.
- SCCs
- The European Commission's Standard Contractual Clauses (EU) 2021/914 of 4 June 2021, including the UK International Data Transfer Addendum.
Details of processing (GDPR Art. 28(3))
- Subject matter
- The digital advertising services described in the SOW (campaign management, creative production, measurement).
- Duration
- For the term of the engagement plus the period required to delete or return the Personal Data and to comply with legal retention obligations.
- Nature and purpose
- To deliver the services, including configuring Conversions APIs, importing audiences, building dashboards, and reporting on campaign performance.
- Categories of Data Subjects
- The Client's end customers and prospects; visitors to the Client's websites; recipients of the Client's advertising.
- Categories of Personal Data
- Identifiers (name, email, phone, hashed identifiers, device IDs); IP and user-agent data; pseudonymous identifiers (e.g.
fbp,fbc,_ga); commercial data (purchase events, order value); approximate geolocation. - Special categories
- None. Highstone will not knowingly Process special-category data and the Client agrees not to instruct us to.
- Frequency
- Continuous, via real-time integrations with advertising platforms and analytics tools.
- Storage location
- United States (Vercel, Cloudflare, Google Cloud regions per our hosting and analytics providers).
Highstone obligations as processor
Highstone will:
- Process Personal Data only on the Client's documented instructions (including those in the SOW and reasonable written instructions thereafter), except where required by applicable law (in which case Highstone will inform the Client unless that law prohibits notice).
- Ensure that persons authorised to Process Personal Data are subject to a duty of confidentiality.
- Implement the technical and organisational measures described in our Trust & Security page and Annex II of the SCCs incorporated below.
- Engage Sub-processors only on the terms set out under “Sub-processors” below.
- Taking into account the nature of the Processing, assist the Client by appropriate technical and organisational measures, in so far as is possible, to respond to Data Subject requests (GDPR Art. 28(3)(e)).
- Assist the Client in ensuring compliance with GDPR Articles 32 to 36 (security, breach notification, data-protection impact assessments, prior consultation) (Art. 28(3)(f)).
- At the Client's choice, delete or return all Personal Data after the end of the provision of services and delete existing copies, unless applicable law requires storage (Art. 28(3)(g)).
- Make available to the Client all information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, conducted by the Client or another auditor mandated by the Client (Art. 28(3)(h)). Audits may be conducted no more than once per twelve (12) months absent a security incident, with at least 30 days' notice, during business hours, and subject to confidentiality.
Highstone will notify the Client without undue delay and within 72 hours of becoming aware of a Personal Data Breach affecting the Client's Personal Data, and will provide information required by GDPR Art. 33(3) as it becomes available.
Client obligations as controller
The Client will:
- Establish and maintain a lawful basis for the Processing carried out by Highstone under this DPA.
- Provide all required privacy notices to Data Subjects, and obtain all required consents (e.g. for marketing cookies on the Client's own properties, for inclusion in custom audiences, for sensitive-category data).
- Ensure that the Personal Data provided to Highstone is accurate, up to date, and limited to what is necessary for the Processing.
- Respond to Data Subject requests directed at the Client as the Controller, with Highstone's reasonable assistance.
- Maintain its own records of Processing activities under GDPR Art. 30 where applicable.
- Not instruct Highstone to Process Personal Data in a manner that would violate Data Protection Laws.
Sub-processors
The Client provides general written authorisation for Highstone to engage Sub-processors. The current Sub-processor list is published at /sub-processors.
Highstone will:
- Impose data-protection obligations on each Sub-processor by written contract that are no less protective than this DPA, including the obligation to provide sufficient guarantees to implement appropriate technical and organisational measures (GDPR Art. 28(4)).
- Remain liable to the Client for the acts and omissions of its Sub-processors as if those acts and omissions were its own.
- Notify the Client of any intended change concerning the addition or replacement of Sub-processors at least 30 days in advance, giving the Client the opportunity to object.
If the Client objects to a Sub-processor on reasonable data-protection grounds and the parties cannot agree on an alternative within 30 days of the objection, either party may terminate the affected service with no penalty.
International transfers
Where the Processing involves a transfer of Personal Data from the EEA, the UK, or Switzerland to a country outside that area that has not been deemed adequate by the relevant authority, the parties agree as follows:
- The EU Standard Contractual Clauses 2021/914 (Module 2: Controller to Processor) are hereby incorporated by reference and entered into between the parties. Where Highstone engages a Sub-processor outside the adequate region, Module 3 (Processor-to-Processor) applies and is back-to-back with our upstream Module 2 obligations.
- For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs (Version B1.0, in force 21 March 2022) is incorporated by reference.
- For transfers from Switzerland, references to the GDPR are read as references to the Swiss FADP and the competent supervisory authority is the Swiss FDPIC.
- Annex I (parties, transfer details, competent supervisory authority) and Annex II (technical and organisational measures) are completed as described in this DPA and our Trust & Security page; Annex III (Sub-processors) is the list at /sub-processors.
For each transfer, Highstone has conducted (or will conduct on request) a transfer impact assessment and applies supplementary measures including encryption in transit and at rest, access controls, and contractual transparency commitments.
CCPA / CPRA-specific terms
When Highstone Processes Personal Information of California residents on the Client's behalf under CCPA/CPRA, Highstone acts as a Service Provider and:
- Will not sell or share Personal Information (as those terms are defined under CCPA/CPRA).
- Will not retain, use, or disclose Personal Information for any purpose other than the specific business purpose of providing the services to the Client, or as otherwise permitted by CCPA/CPRA.
- Will not retain, use, or disclose Personal Information outside the direct business relationship with the Client.
- Will not combine Personal Information received from or on behalf of the Client with Personal Information received from or on behalf of any other person, or collected from Highstone's own interaction with consumers, except as expressly permitted by CCPA/CPRA.
- Will notify the Client if Highstone makes a determination that it can no longer meet its obligations under CCPA/CPRA.
- Grants the Client the right to take reasonable and appropriate steps to stop and remediate unauthorised use of Personal Information.
Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except where applicable law does not permit such limitation in respect of breaches of Data Protection Laws. Nothing in this DPA limits a Data Subject's rights under GDPR Art. 79 or 82.
Term and survival
This DPA takes effect on the effective date of the SOW and continues until Highstone ceases to Process Personal Data on the Client's behalf. Obligations relating to confidentiality, breach notification, and post-termination data handling survive.
Contact
- Highstone privacy contact
- privacy@highstonemedia.com
- Highstone legal contact
- legal@highstonemedia.com
- Phone
- +1 (360) 994-1062
- Highstone Media, LLC · Attn: Legal
317 W Whitney St
Sheridan, WY 82801, USA