Data Processing Agreement

Effective Date: May 2026

This Data Processing Agreement (“DPA”) is incorporated into and subject to the Terms of Service, the Ad Network Terms & Conditions, or other written or digital agreement (as applicable, the “Agreement”) between ByteBrew, Inc. (“ByteBrew”) and the customer that entered into the Agreement (“Customer,” and together with ByteBrew, the “Parties”), in addition to other agreements and policies governing your access to and use of the Services and the Platform. To the extent you access or use the Services or Platform, you shall be deemed to have accepted this DPA upon acceptance or execution of the applicable Agreement. ByteBrew may update this DPA from time to time, and we will provide reasonable notice of any material updates.

1. SCOPE.

  1. The Parties agree to enter into this DPA for the purposes of ensuring compliance with applicable Data Protection Laws. Customer enters into this DPA on behalf of itself and on behalf of its authorized Affiliates. ByteBrew may receive Shared Personal Data through Customer’s access or use of the Services and, in consideration of the mutual obligations set out herein, the Parties agree to comply with the following provisions with respect to any Shared Personal Data Processed in connection with the Services. Except as modified below, the terms of the Agreement shall remain in full force and effect.

2. DEFINITIONS. In addition to the terms defined in the Agreement and above, the following terms shall have the following meanings for the purposes of this DPA:

  1. “Adequate Jurisdiction” means a country which ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, as determined by the European Commission in the case that GDPR applies, and as determined by the UK Information Commissioner’s Office in the case that the UK GDPR applies.
  2. “Affiliates” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a Party.
  3. “Approved Addendum” means the template addendum (version B.1.0) issued by the United Kingdom International Commissioner’s Office (ICO) and laid before the United Kingdom Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of such addendum.
  4. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code sections 1798.100 et seq., and all implementing regulations, as amended from time to time, such as by the California Privacy Rights Act of 2020.
  5. “Data Protection Laws” means EU Data Protection Law, the CCPA, the Brazilian General Personal Data Protection Law, No. 13,709/2018 (the “LGPD”), and any other legislation protecting natural persons’ right to privacy with regard to the processing of Shared Personal Data, in each case to the extent applicable to a Party’s Processing of Shared Personal Data in connection with the Services.
  6. “Data Subject Rights” means the rights granted to Data Subjects under Data Protection Laws.
  7. “EU Data Protection Law” means the GDPR, the e-Privacy Directive and national implementing legislation and the Swiss Federal Data Protection Act.
  8. “GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“EU GDPR”) and, where applicable, the “UK GDPR” as defined in the Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019.
  9. “Member State” means a member state of the European Economic Area, together with Switzerland and the United Kingdom.
  10. “SCCs” means (a) with respect to data transfers from the European Union to third countries that are not deemed adequate jurisdiction by the European Commission, Module 1 (controller to controller) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914 (the “EU SCCs”); (b) with respect to data transfers from the United Kingdom, Module 1 (controller to controller) of the EU SCCs as further amended by Part 2: Mandatory Clauses of the Approved Addendum (the “UK Mandatory Clauses”), together with any other necessary conforming changes to the EU SCCs (collectively, the “UK SCCs”); and (c) any updated, revised, or separate clauses relating to data transfer requirements of the GDPR issued from time to time by the European Commission, UK Information Commissioner’s Office, any other applicable data protection authority, or other body with competent authority and jurisdiction.
  11. “Shared Personal Data” means Personal Data Processed by a Party to the extent such Party received that Personal Data from the other Party (that other party, the “Sharing Party” under this definition) in connection with the performance of the Agreement. For the avoidance of doubt, a Party is also deemed to “receive” Shared Personal Data from a Sharing Party where the Sharing Party grants access to such Shared Personal Data to the receiving Party.
  12. “Transparency Notices” has the meaning given to it in clause 3.2.1.
  13. The terms “Controller,” “Process,” “Processor,” “Data Subject,” and “Personal Data,” shall have the meanings given in Data Protection Laws. To the extent Data Protection Laws use different terms to cover concepts similar to those covered under the aforementioned bold terms in this Section 2(m), then “Controller,” “Process,” “Processor,” “Data Subject,” and “Personal Data” shall have the meaning assigned to those similar terms under such Data Protection Laws. For the avoidance of doubt, the terms “Controller” and “Processor” include “Business” and “Service Provider,” respectively, as defined in the CCPA.

3. DATA PROCESSING; INDEPENDENT CONTROLLERS.

  1. ByteBrew and Customer: (a) are independent Controllers with regard to the Shared Personal Data; (b) will individually determine the purposes and means of its Processing of Shared Personal Data; and (c) for the avoidance of doubt, are not and shall not be ‘joint controllers’ (as such or similar terms are defined under Data Protection Laws) of Shared Personal Data. Each Party shall provide reasonable cooperation and assistance to the other Party as necessary for the other Party’s compliance with Data Protection Laws (at the other Party’s reasonable expense) with respect to Shared Personal Data. Customer shall not disclose Shared Personal Data to any third parties except as expressly permitted under the Agreement. Further, Customer shall delete all Shared Personal Data promptly upon the occurrence of any of the following: (i) where Customer does not place the winning bid for an impression to which that Shared Personal Data relates or (ii) after Customer provides an advertisement (directly or indirectly, such as via a third-party ad server in the latter case) in response to an ad request to which that Shared Personal Data relates. Without limiting the foregoing, Customer shall not, and shall not permit any third party to, use any Shared Personal Data in connection with any profiling or tracking of any end user or any other Data Subject or of any mobile property or publisher.

  2. Each Party shall, with respect to the Processing of any Shared Personal Data, comply with Data Protection Laws, including, where applicable, as follows:

    1. each Party shall provide all applicable notices, disclosures, and privacy policies to Data Subjects as required under Data Protection Laws for the lawful Processing by it of Shared Personal Data (“Transparency Notices”). Customer shall disclose its access or use of the Services, its sharing or otherwise making available of Shared Personal Data with/to ByteBrew, and how ByteBrew Processes Shared Personal Data in its Transparency Notices. For example, if Customer has embedded ByteBrew advertising Services in their mobile applications or websites, this can be done by including the following language in Customer’s Transparency Notices: “We work with ByteBrew to deliver ads. For more information about ByteBrew’s collection and use of your information, visit: https://legal.ByteBrew.com/privacy/.”
    2. each Party shall provide all required mechanisms for, and shall comply with Data Protection Laws regarding, Data Subject Rights and shall respond to inquiries by governmental authorities where required by Data Protection Laws;
    3. neither Party shall Process the Shared Personal Data for any purpose other than as set out in its Transparency Notice and unless such Processing is also authorized under Data Protection Laws and the Agreement;
    4. each Party shall ensure that all of its employees engaged in the Processing of such Shared Personal Data act consistently with this DPA;
    5. each Party shall implement technical and organisational security measures designed to prevent (i) a breach in security leading to the accidental, unlawful, or unauthorized destruction, loss, alteration, or disclosure of, or access to, Shared Personal Data or (ii) any other security incident that amounts to a “personal data breach” (as such term or similar term, such as “breach of the security system” or “data breach,” is defined under Data Protection Laws) of Shared Personal Data (in either case of (i) and (ii), a “Data Breach”);
    6. each Party agrees that any agreement with a subprocessor used to Process Shared Personal Data shall comply with the Data Protection Laws; and
    7. for the avoidance of doubt, each Party is and shall remain responsible for its compliance with its respective obligations as a controller under Data Protection Laws.
  3. Each Party shall in particular, to the extent legally permissible, notify the other without undue delay (i) of any requests to exercise Data Subject Rights received by that Party regarding the Shared Personal Data, to the extent required under Data Protection Law; (ii) about regulatory inquiries involving the Processing of Shared Personal Data, and (iii) any Data Breach involving the Shared Personal Data to the extent resulting in material destruction, loss, alteration, or disclosure of, or access to, that Shared Personal Data.
  4. Without limitation of the obligations and restrictions otherwise set forth in this DPA and elsewhere in the Agreement, each Party shall provide all required notices to, and obtain all necessary permissions and consents from, the relevant Data Subjects whenever required under the Data Protection Laws to lawfully permit such Party’s Processing of Shared Personal Data in its capacity as an independent Controller of the Shared Personal Data. Customer represents and warrants it has provided (and shall maintain) all required notices in compliance with Section 3(b)(i) and obtained all necessary permissions and consents required under the Data Protection Laws from the relevant Data Subjects on behalf of ByteBrew to lawfully permit ByteBrew to Process Shared Personal Data as contemplated in the Agreement and this DPA.
  5. Where consent is the lawful basis for Processing Shared Personal Data or otherwise required for the access or use of the Services, Customer represents and warrants that it shall, at all times, make available, maintain, and make operational on the Customer’s properties: (i) a mechanism for obtaining such consent from Data Subjects in accordance with the requirements of the Data Protection Laws; (ii) a mechanism for Data Subjects to withdraw such consent (opt-out) in accordance with the Data Protection Laws; and (iii) a mechanism for notifying ByteBrew of such withdrawl of consent (opt-out) where required under Data Protection Laws. Customer shall honor, in compliance with Data Protection Laws, all signals that ByteBrew sends to Customer regarding whether the Data Subject has withdrawn consent or opted out of “sales” or “shares” (as such terms “sale” and “share” are defined under Data Protection Laws) or any similar signals (e.g., an opt out of targeted advertising).
  6. With respect to the CCPA, (i) the Shared Personal Data is disclosed to ByteBrew for the limited and specified purposes of enabling ByteBrew (or its demand partners) to bid on advertising inventory, serve Advertisements in connection with the Services, optimize the Services, and as otherwise permitted by the Agreement; (ii) each Party shall comply with the CCPA where applicable, including by providing the same level of privacy protection as required of Businesses under the CCPA to the extent required of such Party under the CCPA; (iii) the Sharing Party may take reasonable and appropriate steps to ensure that the other Party Processes Shared Personal Data in a manner consistent with the Sharing Party’s obligations under the CCPA; (iv) a Party shall notify the Sharing Party promptly after such other Party makes a determination that it can no longer meet its obligations under the CCPA; and (v) the Sharing Party, upon reasonable prior notice, take reasonable and appropriate steps to stop and remediate the unauthorized Processing of Shared Personal Data.
  7. If Customer qualifies as a “foreign party” as defined in 28 CFR Part 202 (or similar laws in applicable jurisdictions), Customer represents and warrants that it will not sell, provide access to, or otherwise share or attempt to share any data provided to Customer pursuant to its access or use of the Services to “countries of concern” or “covered persons” as defined in 28 CFR Part 202. If Customer knows or suspects that a country of concern or covered person has gained access to any data provided to Customer pursuant to its access or use of the Services, the Customer represents and warrants that it will immediately notify ByteBrew and take other appropriate steps required under applicable laws.

4. GENERAL.

  1. In the event of any conflict or discrepancy between the SCCs, the Agreement, and this DPA, the following order of precedence will apply: (i) the SCCs, (ii) this DPA, and (iii) the Agreement.
  2. This DPA does not alter the limitations of liability set out in the Agreement.
  3. This DPA will become effective on the date Customer has accepted the Agreement or the date on which the Customer started to access or use the Services. This DPA will terminate simultaneously and automatically upon the termination or expiration of the Agreement.
  4. To the extent required by Data Protection Law, this DPA will be governed by the laws of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction set forth in the Agreement.

5. INTERNATIONAL TRANSFERS.

  1. Customer acknowledges that ByteBrew’s primary processing operations take place in the United States, and that the transfer of Shared Personal Data to the United States is necessary for the provision of the Services to Customer. If ByteBrew transfers Shared Personal Data protected under this DPA to a jurisdiction that is not an Adequate Jurisdiction, ByteBrew will ensure that appropriate safeguards have been implemented for the transfer of such Shared Personal Data in accordance with Data Protection Laws. The Parties agree that the SCCs shall apply to the transfer of, including access to, Shared Personal Data:

    1. in the case of a transfer from Customer to ByteBrew, where the Processing of the Shared Personal Data by the Customer is subject to EU Data Protection Law or the LGPD; or
    2. in the case of a transfer from ByteBrew to Customer, where:
      1. the Customer is not established in an Adequate Jurisdiction;
      2. the Processing of the Shared Personal Data is subject to EU Data Protection Law or the LGPD or ByteBrew is otherwise contractually required to enter into the SCCs.

  2. For the purposes of the SCCs:

    1. Annex 1.A (List of Parties) shall be deemed to incorporate the information in Schedule I;
    2. Annex 1.B (Description of Transfer) shall be deemed to incorporate the information in Schedule III;
    3. Annex 1.C (Competent Supervisory Authority) shall be deemed to refer to the supervisory authority identified in Schedule II;
    4. Annex II (Technical and Organisational Measures) shall be deemed to incorporate the information in Schedule II;
    5. The optional language within clause 7 of the SCCs does not apply;
    6. The optional language within clause 11(a) of the SCCs does not apply;
    7. Pursuant to clause 17, the SCCs will be governed by the laws of the Republic of Ireland;
    8. Pursuant to clause 18(b) of the SCCs, the Parties shall resolve disputes under the SCCs before the courts of the Republic of Ireland;
    9. In relation to Table 4 referenced in the UK Mandatory Clauses, Bytebrew will be entitled to terminate the Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses;
    10. The Approved Addendum (including the EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales;
    11. With respect to transfers from Switzerland, the EU SCCs shall be modified as follows:
      1. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) with respect to data transfers subject to the FADP.
      2. Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner (“FDPIC”) of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR. Subject to the foregoing, all other requirements of Clause 13 shall be observed.
      3. The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs; and
    12. For data exporters established within Brazil or for purposes of transfers of Shared Personal Data under the LGPD), the SCCs shall be governed by the laws of the Federative Republic of Brazil. Further, for such transfers under the LGPD, the applicable Data Protection Law shall be understood as the LGPD and the supervisory authority is the National Data Protection Authority in Brazil (ANPD).

SCHEDULE I

PARTIES

Contractual party and Role Address of the party, contact person’s name, position and contact details and, where applicable, of its data protection officer and/or representative in the EU Activities relevant to the data transferred under these Clauses
ByteBrew (Controller) ByteBrew, Inc.
Address: PO BOX 5010 PMB 101 Rancho Santa Fe, CA 92067
E-mail: privacy@bytebrew.io

If you are located in the European Union, you may use the following information to contact our Data Protection Officer: GDPR@bytebrew.io		 Shared Personal Data is transferred (A) to ByteBrew from Customer or (B) to Customer from ByteBrew in the course of providing the Services.
Customer (Controller) As specified in the Agreement or in the Customer’s account. Shared Personal Data is transferred (A) to ByteBrew from Customer or (B) to Customer from ByteBrew in the course of providing the Services.

SCHEDULE II

SCCS

Information deemed incorporated into the SCCs
Data exporter

(A) Customer is the data exporter to the extent Customer provides and Processes Shared Personal Data of EU and UK Data Subjects in connection with the access or use of the Services.

(B) ByteBrew is the data exporter to the extent ByteBrew provides and Processes Shared Personal Data of EU and UK Data Subjects in connection with the access or use of the Services.
Data importer ByteBrew is the data importer in the event of (A) described above, and Customer is the data importer in the event of (B) described above.
Annex I.A List of Parties: Relevant information regarding “Data exporter” and “Data importer” under this Schedule I and Schedule II are incorporated by reference herein.
Annex I.B Description of Transfer: Relevant information from Schedule III below is incorporated by reference herein.
Annex I.C Competent Supervisory Authority: The competent supervisory authority shall be determined based on the situation applicable to the data exporter under clause 13 of the SCCs (e.g., if the data exporter is established in an EU member state, or falls under GDPR Article 3(2) and has an appointed representative under GDPR Article 27(1), or falls under GDPR Article 3(2) and has not appointed a representative under GDPR Article 27(1)), except that, in the case of the UK SCCs, the competent supervisory authority under the UK SCCs will be the UK Information Commissioner.
Annex II

Technical and Organisational Measures: Data importer will implement and maintain appropriate administrative, physical, and technical safeguards designed for the protection of the security, confidentiality and integrity of Shared Personal Data uploaded to the Services as required under Data Protection Laws, which includes the following measures:

  1. Pseudonymization and encryption of Shared Personal Data including use of SSL and TLS encryption configurations for all Shared Personal Data.
  2. Ongoing confidentiality, integrity, availability, and resilience of processing systems and services afforded by large secure cloud services running multi-region environments to ensure a solid foundation for security and reliability.
  3. Restoring availability and access to personal data after a physical or technical incident: data importer shall use large secure cloud services running multi-region zones to ensure reliable access and service availability.
  4. User identification and authorization: data importer maintains access controls using multi-factor authentication and permission controls for limited access to authorized personnel.
  5. Protection of data during transmission: all Shared Personal Data is fully encrypted in transit using TLS and SSL encryption.
  6. Protection of data during storage: all Shared Personal Data is stored under the company’s private network layer, with DDoS prevention and configured firewalls designed to avoid security vulnerabilities.
  7. Limited data retention: Shared Personal Data is only be retained as necessary to fulfill permitted purposes in accordance with the Agreement and DPA.
  8. Accountability: Data importer has engaged highly skilled and experienced personnel, does not release code to production without proper testing, and regularly deprecates out-of-date code to avoid security risks from legacy code.
  • Technical and organizational measures of sub-processors: Data importer enters into Data Processing Agreements or equivalent agreements with its sub-processors containing data protection obligations substantially similar to those in this DPA.

SCHEDULE III

DESCRIPTION OF THE TRANSFER

Categories of data subjects whose data is transferred

The Shared Personal Data transferred concerns the following categories of data subjects:

  • Individuals who are end users of Customer’s digital property (including mobile application(s), websites, and platforms) (each, an “End User”).
  • Individuals who are Customer’s marketing and business contacts.
  • Individuals whose navigation of a digital property such as a mobile application or website.
  • Individuals who are Customer’s employees, agents, or representatives in ByteBrew’s platform.

Categories of data transferred

The Shared Personal Data transferred may include the following categories of data:

  • Advertising identifiers (e.g., IDFA/Google Ad ID);
  • IP address;
  • Device make, model, hardware, and operating system;
  • Device properties and settings;
  • Transactional or other “event” data related to an End User’s interaction with an application, such as information about purchases or application installations; and
  • Business contact and billing information (e.g., name, email address, billing address, telephone number, VAT number, bank account number to the extent considered Shared Personal Data).

Sensitive data transferred (if applicable)

The Shared Personal Data transferred concerns the following categories of sensitive data:

  • None. Customer shall ensure that no sensitive personal data will be shared with ByteBrew.

The frequency of the transfer

  • As necessary to perform all obligations and exercise all rights with respect to Shared Personal Data as provided in the Agreement or DPA.

Nature of the Processing and Purpose of the transfer(s) and further Processing

  • The Shared Personal Data is Processed for the purpose of providing the Services in accordance with the Agreement, including all permissible purposes set forth in the respective data importer’s Transparency Notice.

The period for which the Shared Personal Data will be retained, or, if that is not possible, the criteria used to determine that period

  • Data is typically retained by ByteBrew for up to two (2) years from collection. Certain limited data may be retained for longer periods where necessary to support product functionality.

For transfers to (sub-)processors, also specify subject matter, nature and duration of the Processing

The Shared Personal Data transferred may be disclosed to Processors in accordance with this Addendum and Data Protection Laws.