Back to BidNeuron

Data Processing Agreement

Our standard DPA governing the processing of personal data on behalf of advertiser clients.

Last updated: April 1, 2026

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement ("MSA") between BidNeuron AdTech ("Processor") and the advertiser client ("Controller"). It governs the processing of personal data in connection with the provision of BidNeuron's DSP services, in compliance with GDPR (EU) 2016/679 and applicable data protection laws.

1. Definitions

  • Controller — the advertiser client who determines the purposes and means of data processing
  • Processor — BidNeuron AdTech, processing personal data on behalf of the Controller
  • Personal Data — any information relating to an identified or identifiable natural person, including pseudonymous identifiers used in programmatic advertising
  • Processing — any operation performed on personal data, including collection, storage, use, and deletion
  • Sub-processor — any third party engaged by BidNeuron to process personal data in the provision of the service

2. Subject Matter & Duration

BidNeuron processes personal data solely for the purpose of delivering, optimizing, and reporting on advertising campaigns as directed by the Controller. Processing commences upon activation of the first campaign and continues for the duration of the MSA, plus any data retention period specified herein.

3. Nature and Purpose of Processing

BidNeuron processes personal data for the following purposes on behalf of the Controller:

  • Real-time bidding (RTB) and programmatic ad delivery
  • Audience targeting and lookalike modeling using first-party data provided by the Controller
  • Frequency capping and retargeting
  • Conversion attribution via MMP integrations
  • Campaign performance reporting and analytics
  • Fraud detection and invalid traffic (IVT) filtering

4. Types of Personal Data Processed

  • Mobile advertising identifiers (IDFA, GAID)
  • Hashed email addresses or phone numbers (for CRM matching)
  • IP addresses (used for geo-targeting, truncated post-processing)
  • Device type, OS, browser metadata
  • Behavioral signals and conversion events

5. Controller Instructions

BidNeuron processes personal data only on documented instructions from the Controller, as set out in the MSA and campaign briefs. If BidNeuron is required by law to process data beyond these instructions, it will notify the Controller unless prohibited by law.

6. Confidentiality

BidNeuron ensures that personnel authorized to process personal data are subject to binding confidentiality obligations.

7. Security Measures

BidNeuron implements the following technical and organizational security measures:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls and principle of least privilege
  • Multi-factor authentication for platform access
  • Annual penetration testing by accredited third parties
  • SOC 2 Type II and ISO 27001 certification
  • Incident response procedures with 72-hour breach notification

8. Sub-processors

BidNeuron uses the following categories of sub-processors to deliver the service. The Controller grants general authorization for the use of sub-processors, with BidNeuron providing 30 days notice of any material changes.

  • Cloud Infrastructure — AWS (Singapore, US, EU regions), Google Cloud Platform
  • CDN — Cloudflare (ad serving and DDoS protection)
  • MMP Integrations — AppsFlyer, Adjust, Branch, Kochava (as directed by Controller)
  • Supply Partners — SSPs operating under their own DPAs with publishers

9. Data Subject Rights

BidNeuron will assist the Controller in fulfilling data subject requests (access, deletion, portability, objection) to the extent technically feasible. Controllers must submit data subject requests to privacy@bidneuron.com. BidNeuron will respond within 5 business days.

10. International Transfers

Where personal data is transferred outside the EEA, BidNeuron ensures appropriate safeguards via EU Standard Contractual Clauses (Module 3: Processor-to-Processor) incorporated by reference into this DPA.

11. Data Retention & Deletion

Upon termination of the MSA, BidNeuron will delete or return all personal data within 90 days, unless retention is required by applicable law. Aggregated, anonymized data may be retained for platform benchmarking purposes.

12. Audit Rights

The Controller may conduct audits of BidNeuron's data processing activities with 30 days written notice, no more than once per calendar year. BidNeuron may satisfy audit requests by providing up-to-date third-party certification reports (SOC 2, ISO 27001).

13. Governing Law

This DPA is governed by the same law as the MSA. For EU-based Controllers, this DPA incorporates the requirements of GDPR Article 28 and the applicable Standard Contractual Clauses.

14. Contact

For DPA execution or data processing inquiries, contact legal@bidneuron.com or our DPO at privacy@bidneuron.com.